Re: SPF_FAIL
On Wed, 11 Nov 2020 17:01:21 +0100 > On 11.11.20 15:41, RW wrote: > >Note that without a DKIM pass, SPF is easily spoofed in TxRep. > > is it? how does that work then? It's implicit in the next bit. > >DKIM reputations are identified by a combination of header from > >address and signing domain. SPF pass reputations are just identified > >by header address, without incorporating the envelope domain or > >requiring alignment. These two cases share the same "authenticated" primary reputation: Return-path: c...@example.com From: c...@example.com Return-path: some...@somewhereelse.com From: c...@example.com The benefit of this could be substantial, particularly with txrep_learn_bonus set. All you have to do is make sure the envelope sender passes SPF. To be honest I haven't verified this, but the code looks straightforward. $signedby gets set to the tag DKIMDOMAIN or falls back to the fixed string 'spf' for an SPF pass.
Re: SPF_FAIL
Matus UHLAR - fantomas skrev den 2020-11-11 17:01: Martin Gregorie skrev den 2020-11-11 11:02: On Wed, 2020-11-11 at 09:52 +0100, Tobi wrote: On 11.11.20 15:41, RW wrote: Note that without a DKIM pass, SPF is easily spoofed in TxRep. is it? how does that work then? On 11.11.20 17:20, Benny Pedersen wrote: signedby tracking in awl and txrep but not signed, does just group them as not signed, it still is reputition can you please describe deeper? how is it spoofed? does it ignore SPF sometimes, and takes for correct otherwise? -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. Fucking windows! Bring Bill Gates! (Southpark the movie)
Re: SPF_FAIL
Matus UHLAR - fantomas skrev den 2020-11-11 17:01: Martin Gregorie skrev den 2020-11-11 11:02: > On Wed, 2020-11-11 at 09:52 +0100, Tobi wrote: On 11.11.20 15:41, RW wrote: Note that without a DKIM pass, SPF is easily spoofed in TxRep. is it? how does that work then? signedby tracking in awl and txrep but not signed, does just group them as not signed, it still is reputition
Re: SPF_FAIL
Martin Gregorie skrev den 2020-11-11 11:02: > On Wed, 2020-11-11 at 09:52 +0100, Tobi wrote: > I suppose some may find it useful to datestamp entries with the last > time mail was sent to them and remove any addresses that haven't > been sent mail for 'x' days/weeks/months/years but I've never > needed that ability. On Wed, 11 Nov 2020 11:14:05 +0100 Benny Pedersen wrote: amavisd have penpal spamassassin have txrep On 11.11.20 15:41, RW wrote: Note that without a DKIM pass, SPF is easily spoofed in TxRep. is it? how does that work then? DKIM reputations are identified by a combination of header from address and signing domain. SPF pass reputations are just identified by header address, without incorporating the envelope domain or requiring alignment. -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. "To Boot or not to Boot, that's the question." [WD1270 Caviar]
Re: SPF_FAIL
On Wed, 11 Nov 2020 11:14:05 +0100 Benny Pedersen wrote: > Martin Gregorie skrev den 2020-11-11 11:02: > > On Wed, 2020-11-11 at 09:52 +0100, Tobi wrote: > > > I suppose some may find it useful to datestamp entries with the last > > time mail was sent to them and remove any addresses that haven't > > been sent mail for 'x' days/weeks/months/years but I've never > > needed that ability. > > amavisd have penpal > spamassassin have txrep Note that without a DKIM pass, SPF is easily spoofed in TxRep. DKIM reputations are identified by a combination of header from address and signing domain. SPF pass reputations are just identified by header address, without incorporating the envelope domain or requiring alignment.
Re: SPF_FAIL
Martin Gregorie skrev den 2020-11-11 11:02: On Wed, 2020-11-11 at 09:52 +0100, Tobi wrote: I suppose some may find it useful to datestamp entries with the last time mail was sent to them and remove any addresses that haven't been sent mail for 'x' days/weeks/months/years but I've never needed that ability. amavisd have penpal spamassassin have txrep it require no maintaince at all when configured but i admit txrep could need more support to this
Re: SPF_FAIL
On Wed, 2020-11-11 at 09:52 +0100, Tobi wrote: > > If I only had a ready-made list of those important domains. > > If you filter for customer domains then maybe (depending the customer > domain) adding the customer domain to spf checks is worth a look too. > That's easy: keep a database of addresses you've sent mail to and treat that as a whitelist. Should work at almost any scale and about the only essential maintenance it needs is the ability to remove addresses you no longer want to whitelist. I suppose some may find it useful to datestamp entries with the last time mail was sent to them and remove any addresses that haven't been sent mail for 'x' days/weeks/months/years but I've never needed that ability. Martin
Re: SPF_FAIL
> If I only had a ready-made list of those important domains. If you filter for customer domains then maybe (depending the customer domain) adding the customer domain to spf checks is worth a look too. On 11/11/20 6:29 AM, Victor Sudakov wrote: > John Hardin wrote: >> >>> Moreover, after reading other replies in the thread, I am even begining to >>> doubt the wizdom of rejecting hard SPF fails in the MTA (which I do in >>> some installations). >> >> "it depends". >> >> Doing that for certain domains - like, large banks - would probably be a >> good idea. By default, for all domains, not so much. > > If I only had a ready-made list of those important domains. > >
