SPF and forwarding best practice
I have the following setup, where smtp.X.com is an arbitrary host that sends
mail to [email]me@B.com[/email], mx.B.com is an ISP's MX that forwards my mail for [email]me@B.com[/email]
[email]somebody@X.com[/email] [smtp.X.com] -> [email]me@B.com[/email] [mx.B.com] -> [email]me@A.com[/email] [mx.A.com]
I fetch my mail via POP/IMAP from A.com. SpamAssassin runs on A.com's
systems, with SPF checks enabled. I am not system adminstrator at A.com or
B.com. I only have control over SA's user_prefs at A.com.
mx.B.com is in trusted_networks, all machines at A.com are in
internal_networks. always_trust_envelope_sender is enabled since the trusted
relays do not rewrite envelope from.
Now, this setup entails the well-known problem that if X.com publishes an
SPF record, SpamAssassin (3.2.4) spanks the message with SPF_FAIL since it
checks the first *external* relay (mx.B.com), not the first untrusted relay
against X.com's SPF policy. There's a comment about this in Plugins/SPF.pm's
# dos: first external relay, not first untrusted
so it seems there's some explicit design decision behind this.
Now, I see the following possibilities to solve/work around the problem.
First, the ones not viable (I believe that this situation is fairly common):
1) Don't forward - not an option.
2) Lobby B.com to implement SRS - hopeless.
3) Lobby B.com to insert a Received-SPF header, which SA would interpret -
Now, the viable ones:
4) Zero the scores for SPF_FAIL and SPF_SOFTFAIL. This way, I don't risk
false positives, but the underlying problem is not solved, and I lose the
opportunity to whitelist using whitelist_auth. This "solution" is what I'm
5) Extend internal_networks to include B.com. Now, SA's SPF checks
smtp.X.com against X.com's SPF policy, and detects an SPF_PASS (and also
detects SPF failures if email addresses are forged). However, I am unsure
about the possibly harmful implications of extending internal_networks
beyond the local system. If I read the manual correctly, then this is not
recommended, especially since mx.B.com also accepts mail directly from
Now, my questions: what's the recommended best practice for this sort of
situation, which I believe is not so uncommon? Is there a better solution
View this message in context: [url]http://www.nabble.com/SPF-and-forwarding-best-practice-tp16669126p16669126.html[/url]
Sent from the SpamAssassin - Users mailing list archive at Nabble.com.