I have the following setup, where smtp.X.com is an arbitrary host that sends
mail to me@B.com, mx.B.com is an ISP's MX that forwards my mail for me@B.com
to me@A.com:

somebody@X.com [smtp.X.com] -> me@B.com [mx.B.com] -> me@A.com [mx.A.com]

I fetch my mail via POP/IMAP from A.com. SpamAssassin runs on A.com's
systems, with SPF checks enabled. I am not system adminstrator at A.com or
B.com. I only have control over SA's user_prefs at A.com.

mx.B.com is in trusted_networks, all machines at A.com are in
internal_networks. always_trust_envelope_sender is enabled since the trusted
relays do not rewrite envelope from.

Now, this setup entails the well-known problem that if X.com publishes an
SPF record, SpamAssassin (3.2.4) spanks the message with SPF_FAIL since it
checks the first *external* relay (mx.B.com), not the first untrusted relay
against X.com's SPF policy. There's a comment about this in Plugins/SPF.pm's

# dos: first external relay, not first untrusted

so it seems there's some explicit design decision behind this.

Now, I see the following possibilities to solve/work around the problem.
First, the ones not viable (I believe that this situation is fairly common):

1) Don't forward - not an option.

2) Lobby B.com to implement SRS - hopeless.

3) Lobby B.com to insert a Received-SPF header, which SA would interpret -
also hopeless.

Now, the viable ones:

4) Zero the scores for SPF_FAIL and SPF_SOFTFAIL. This way, I don't risk
false positives, but the underlying problem is not solved, and I lose the
opportunity to whitelist using whitelist_auth. This "solution" is what I'm
currently using.

5) Extend internal_networks to include B.com. Now, SA's SPF checks
smtp.X.com against X.com's SPF policy, and detects an SPF_PASS (and also
detects SPF failures if email addresses are forged). However, I am unsure
about the possibly harmful implications of extending internal_networks
beyond the local system. If I read the manual correctly, then this is not
recommended, especially since mx.B.com also accepts mail directly from
dial-up connections.

Now, my questions: what's the recommended best practice for this sort of
situation, which I believe is not so uncommon? Is there a better solution
than 4)?


View this message in context: http://www.nabble.com/SPF-and-forwar...p16669126.html
Sent from the SpamAssassin - Users mailing list archive at Nabble.com.