On Mon, 4 Sep 2006, John Andersen wrote: > This does not seem all that unusual a setup to use in the linux > world, and one that SPF tests should be able to handle, so I'm > suspecting there may be a setup problem somewhere.
MTA SPF should only be run on a mail relay that is receiving messages directly from the Internet. I'll assume that you're talking about SPF tests within SA. > In this case the spf tests were seemingly applied to the last > mailserver (my ISP's mail server) rather than the originator's > mail server, and then this last mail server is tested against the > originator's SPF records. > > The (simplified) route was: > > Received: from pen.homeip.net > > Received: from v-msgmmp.gci.net by pen.homeip.net with POP3 (fetchmail-6.3.2) > > Received: from msgmta-3.gci.net by mailstore-1.gci.net > > Received: from psmtp.com by msgmta-3.gci.net > > Received: from <aweb-site-of-mine> by exprod6mx139.postini.com Urk. I suspect shipping all of your mail through Postini will make SPF past that point useless. Do they do proper sender rewriting (SRS)? > Received: from utl-lnx3.puk.ac.za by <aweb-site-of-mine>.com with You MAY be able to get SPF within SA on pen.homeip.net to work by extending your trusted hosts list out to include postini, or to <aweb-site-of-mine>.com > Received: from pcm-nov-gwia-server.puk.ac.za by utl-lnx3.puk.ac.za > > Received: from PUKGWIA-MTA by pcm-nov-gwia-server.puk.ac.za > > The spf-fail was reported because is msgmta-3.gci.net (my ISP) > is not a sender for puknet.puk.ac.za. It sounds like <aweb-site-of-mine>.com should be on your trusted hosts list. That would probable cue SA in to do the SPF tests from that POV rather than from the POV of pen.homeip.net. I'm not intimately familiar with trust path issues the way some others here are. I don't know if having a trusted host in the middle of a sequence of untrusted hosts will cause problems. Alternatively, you may want to perform MTA SPF checks at <aweb-site-of-mine>.com (assuming, of course, that you have the necessary level of administrative access), as it is directly exposed to inbound email from the Internet at large. You may also want to run SA *there* (same assumption), unless pen.homeip.net aggregates several mail feeds. -- John Hardin KA7OHZ ICQ#15735746 http://www.impsec.org/~jhardin/ [EMAIL PROTECTED] FALaholic #11174 pgpk -a [EMAIL PROTECTED] key: 0xB8732E79 - 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79 ----------------------------------------------------------------------- So Microsoft's invented the ASCII equivalent to ugly ink spots that appear on your letter when your pen is malfunctioning. -- Greg Andrews, about Microsoft's way to encode apostrophes ----------------------------------------------------------------------- 13 days until The 219th anniversary of the signing of the U.S. Constitution
