OK, got the picture. Guess I'll go for the upgrade of postfix.

Thanks again,


2007/6/13, Daryl C. W. O'Shea :
> Luis Hern=E1n Otegui wrote:
> > OK, Daryl, got the point. Made a rule to match my Postfix-2.2 auth
> > headers. Now, a question: how do I assign a score of zero to SPF_FAIL
> > (in order to disable that rule) if my custom rule matches? I guess
> > it's via a META rule, but I can't get it working...
> >
> > Based on the rule published at SA's Wiki, I was thinking of something
> > like this:
> >
> > header LOCAL_AUTH_RCVD Received =3D~ /\(authenticated \(\d+ bits\)\)
> > by services04\.student\.cs\.uwaterloo\.ca /
> >
> >
> > But here I lost it. Thought of something like this:
> >
> > score LOCAL_AUTH_NO_SPF -0.693
> >
> > which has the exact reverse score of SPF_FAIL. I think it would be
> > more elegant to zero that rule in this particula case. But I don't
> > know how to do it...

> The problem is that SPF_FAIL isn't the only thing that you don't want to
> trigger that could trigger. Any of the DNSBL tests could hit, too,
> depending on where your roaming users connect from.
> If you can't get one of the methods to extend trust to work (getting
> Postfix to insert an auth header in late 2.2 or any 2.3+ or using
> msa_networks in SA 3.2) you're best off not scanning auth'd mail at all
> if you can manage a way to do it.
> Otherwise, the UW example of matching on a received header and deducting
> a score is your last resort. You might as well make it a fairly large
> negative score since you'll want it to counter both SPF_FAIL and any
> DNSBL tests that hit. There's no way to use a meta, or anything other
> than a plugin that mucks with SA internals, to zero the score for
> SPF_FAIL as you'd like.
> Daryl

GNU-GPL: "May The Source Be With You...
Linux Registered User #448382.
When I grow up, I wanna be like Theo...