I realized that the rules T_SPF_PERMERROR and T_SPF_TEMPERROR were never
hitting on my emails even though my Postfix log had multiple instances
of such errors, e.g. this timeout
2017-01-16 14:03:35-0500 [postfix] 10111.5ms ip=173.37.142.90 h=alln-iport-3.cisco.comfrom=p...@cisco.com
to=u...@domain.com -> PREPEND Received-SPF: TempError (u...@domain.com: temporary error in processing during lookup
of cisco.com) client-ip=173.37.142.90; envelope-from="p...@cisco.com";
helo=alln-iport-3.cisco.com;
receiver=u...@domain.com; identity=mailfrom
I did a bit of digging into the code and found that line 394 of the SPF
plugin
<https://spamassassin.apache.org/full/3.4.x/doc/Mail_SpamAssassin_Plugin_SPF.html>
checks for valid Received-SPF headers
if ($hdr =~
/^received-spf:\s*(pass|neutral|(?:soft)?fail|none)\b(?:.*\bidentity=(\S+?);?\b)?/i)
{
Since /TempError/ and /PermError/ are not handled, the SPF is never
checked. Editing this regex to include them fixes the problem.
Another aspect I find surprising is that T_SPF_HELO_PERMERROR and
T_SPF_HELO_TEMPERROR do hit regularly. My hypothesis is there is an
actual DNS lookup by the SPF module is used instead of the headers, but
I did not dig into the code enough to find out.
Is this an issue that other people have experienced? I am using
spamassassin 3.4.1 and sa-update version svn1652181
--
Olivier Coutu
