Hi, I have the following setup, where smtp.X.com is an arbitrary host that sends mail to [EMAIL PROTECTED], mx.B.com is an ISP's MX that forwards my mail for [EMAIL PROTECTED] to [EMAIL PROTECTED]:
[EMAIL PROTECTED] [smtp.X.com] -> [EMAIL PROTECTED] [mx.B.com] -> [EMAIL PROTECTED] [mx.A.com] I fetch my mail via POP/IMAP from A.com. SpamAssassin runs on A.com's systems, with SPF checks enabled. I am not system adminstrator at A.com or B.com. I only have control over SA's user_prefs at A.com. mx.B.com is in trusted_networks, all machines at A.com are in internal_networks. always_trust_envelope_sender is enabled since the trusted relays do not rewrite envelope from. Now, this setup entails the well-known problem that if X.com publishes an SPF record, SpamAssassin (3.2.4) spanks the message with SPF_FAIL since it checks the first *external* relay (mx.B.com), not the first untrusted relay against X.com's SPF policy. There's a comment about this in Plugins/SPF.pm's _get_relay(): # dos: first external relay, not first untrusted so it seems there's some explicit design decision behind this. Now, I see the following possibilities to solve/work around the problem. First, the ones not viable (I believe that this situation is fairly common): 1) Don't forward - not an option. 2) Lobby B.com to implement SRS - hopeless. 3) Lobby B.com to insert a Received-SPF header, which SA would interpret - also hopeless. Now, the viable ones: 4) Zero the scores for SPF_FAIL and SPF_SOFTFAIL. This way, I don't risk false positives, but the underlying problem is not solved, and I lose the opportunity to whitelist using whitelist_auth. This "solution" is what I'm currently using. 5) Extend internal_networks to include B.com. Now, SA's SPF checks smtp.X.com against X.com's SPF policy, and detects an SPF_PASS (and also detects SPF failures if email addresses are forged). However, I am unsure about the possibly harmful implications of extending internal_networks beyond the local system. If I read the manual correctly, then this is not recommended, especially since mx.B.com also accepts mail directly from dial-up connections. Now, my questions: what's the recommended best practice for this sort of situation, which I believe is not so uncommon? Is there a better solution than 4)? Thanks, Moritz -- View this message in context: http://www.nabble.com/SPF-and-forwarding-best-practice-tp16669126p16669126.html Sent from the SpamAssassin - Users mailing list archive at Nabble.com.
