> My SPF records correctly show that only a very small number of relays are > marked as being able to originate mail from my domain. However, the > problem > is that through additional mechanisms such as SMTP AUTH, authorised users > within the domain can originate mail from essentially anywhere. This > causes > problematic interactions with SPF, as SA identifies that the sending IP# > is > indeed not listed in SPF. I'd mistakenly assumed that since I require all > the > users to use a relay which _is_ listed in SPF, that this would be a non > issue. > > Can someone advise the correct way to resolve this? >
Run SPF at the MTA level and skip SPF check when the user has authenticated. At least that is how I do it. I also skip dns lookups on sender and rbl checking as well when I have valid auth. If you have to run it at the queue level, you'll need to write a rule that checks for auth in the received headers (which could be easily spoofed), and then turn the old SPF tests into META rules that depends on __USER_AUTH For Example... # qmail received header with valid authentication # format- Received: from unknown (HELO localhost) ([EMAIL PROTECTED]) header __USER_AUTH Received =~ /^from.*\([EMAIL PROTECTED]'[EMAIL PROTECTED])$/ meta NEW_SPF_FAIL (SPF_FAIL && !__USER_AUTH) meta NEW_SPF_SOFTFAIL (SPF_SOFTFAIL && !__USER_AUTH) meta NEW_SPF_PASS (SPF_PASS || __USER_AUTH) # change default scores for SPF tests score SPF_FAIL 0.001 score SPF_SOFTFAIL 0.001 score SPF_PASS -0.001 # set old default scores to the NEW_SPF rules score NEW_SPF_FAIL 0 0.974 0 0.875 score NEW_SPF_SOFTFAIL 0.500 score NEW_SPF_PASS -0.001 realize, there are SPF_HELO_* tests also that you may want to override, I'm just giving you some ideas how. D
