Luis Hernán Otegui wrote:
> OK, Daryl, got the point. Made a rule to match my Postfix-2.2 auth
> headers. Now, a question: how do I assign a score of zero to SPF_FAIL
> (in order to disable that rule) if my custom rule matches? I guess
> it's via a META rule, but I can't get it working...
> Based on the rule published at SA's Wiki, I was thinking of something
> like this:
> header LOCAL_AUTH_RCVD Received =~ /\(authenticated \(\d+ bits\)\)
> by services04\.student\.cs\.uwaterloo\.ca /
> But here I lost it. Thought of something like this:
> score LOCAL_AUTH_NO_SPF -0.693
> which has the exact reverse score of SPF_FAIL. I think it would be
> more elegant to zero that rule in this particula case. But I don't
> know how to do it...

The problem is that SPF_FAIL isn't the only thing that you don't want to
trigger that could trigger. Any of the DNSBL tests could hit, too,
depending on where your roaming users connect from.

If you can't get one of the methods to extend trust to work (getting
Postfix to insert an auth header in late 2.2 or any 2.3+ or using
msa_networks in SA 3.2) you're best off not scanning auth'd mail at all
if you can manage a way to do it.

Otherwise, the UW example of matching on a received header and deducting
a score is your last resort. You might as well make it a fairly large
negative score since you'll want it to counter both SPF_FAIL and any
DNSBL tests that hit. There's no way to use a meta, or anything other
than a plugin that mucks with SA internals, to zero the score for
SPF_FAIL as you'd like.