Benny Pedersen wrote: > Alex skrev den 2015-12-10 03:42: > >> If I wanted to use SPF in spamassassin to block spoofing attempts >> against my domain, how would I do that? >> Can I create a meta that combines SPF_FAIL with the From header for my >> domain to do this? > > setup pypolicyd-spf is not that hard is it ? > > when done, you just configure the spamassassin plugin to reuse the > recieved-spf header > > data in spf must be with all mynetworks in postfix except all non > routeble ips such as rfc1918 in the spf for mydestination and virtual > domains
No, that's not correct. Postfix $mynetworks, and the equivalent setting in other MTA software, lists IP ranges that can use your server as an outgoing relay, for any sender/recipient pair, without further authentication (let's leave aside any further policy limits you might want that go in other settings; this is the basic minimum). An ISP like the one I work for lists "many" IP ranges in $mynetworks (we're up to ~15 ranges totalling something like an aggregate /15; essentially all IP address space we've been assigned from ARIN), because we want to allow our customers to send out their email through our server. Most of these IP ranges should NOT be emitting any SMTP traffic to the Internet at large, at all, period; they should be using the ISP relay host or some other authenticated third party mail relay server. So most of these IPs are irrelevant for SPF except as failure cases. SPF lists IPs or IP ranges that may use a particular domain as their envelope sender. Our SPF record lists a much MUCH smaller list of IPs and ranges; essentially, the IP ranges our core mail servers live in. Those are, formally speaking, the only IP addresses in the world authorized to use vianet.ca as their SMTP envelope sender. Third parties should never see traffic with a vianet.ca envelope sender directly from any other IP. Note that our customers are authorized by using our outbound relayhost; the third party should not "see" the original sender's connection IP when doing the SPF check. There is no requirement that there be any overlap between the two, although in most cases the SPF list is likely a small subset of $mynetworks. -kgd
