Solved

SPF_SOFTFAIL on local mail

Posted on 2008-10-21
8
858 Views
Last Modified: 2013-12-09
Hi!

Apparently SPF records do not get checked when receiving mail from local senders (e.g. when I send mail to myself). However, SpamAssassin's SPF_SOFTFAIL rule still kicks in. It probably doesn't matter much since that rule isn't going to bump up the score high enough on genuine local mail to get tagged but still something that should get fixed regardless ....

Any ideas/help would be appreciated.
0
Comment
Question by:Julian Matz
  • 4
  • 4
8 Comments
 
LVL 4

Expert Comment

by:urgoll
ID: 22777197
Hello,
if SpamAssassin triggers a SPF_SOFTFAIL, then it means that you do have a SPF record for your domain. If so, you should either:
- modify your SPF record to allow mail from local sources
- configure spamassassin to NOT do SPF checks on your domain using:
whitelist_from_spf *@example.com

but that would allow spammers to spoof your own domain, thus reducing the usefulness of SPF checks.

Regards,
Christophe
0
 
LVL 21

Author Comment

by:Julian Matz
ID: 22778436
Hi Christophe,

I do have SPF set up for my domain. It seems to be set up correctly and when I run tests using my mail server's IPs they all result in SPF Pass. Postfix also seems to be set up correctly since I can see (SPF none | SPF pass | SPF softfail) in message headers. It's just when I send mail from one of my own accounts to myself that (presumably) Postfix doesn't check SPF but SA does. Does this make sense?
0
 
LVL 4

Expert Comment

by:urgoll
ID: 22779092
How do you send emails to yourself ? Do you sent your SMTP server on your mail client to your postfix server on port 25, or do you use some other server ?

Assuming you are using postfix as your SMTP server, then it is not doing the SPF check as it hits the 'permit_mynetworks' smtpd restriction rule. However, SpamAssassin has no such knowledge of 'allowed local subnets' and doesn't make a difference between original submission and relaying. So you may have to add to your SPF record your local network addresses as allowed senders.
0
Three Reasons Why Backup is Strategic

Backup is strategic to your business because your data is strategic to your business. Without backup, your business will fail. This white paper explains why it is vital for you to design and immediately execute a backup strategy to protect 100 percent of your data.

 
LVL 21

Author Comment

by:Julian Matz
ID: 22779204
I use my mail client (Mozilla Thunderbird) to connect to my SMTP server (Postfix) on port 25.

These are the headers I receive:

X-Spam-Status: No, score=-1.3 required=5.0 tests=AWL,BAYES_00,RDNS_NONE,
      SPF_SOFTFAIL autolearn=no version=3.2.3

Received: from [127.0.0.1] (unknown [CLIENT_IP_ADDRESS])
      by MAIL_SERVER_FQDN (Postfix) with ESMTP id 7C00B5AE
      for <info@xxxxx.com>; Tue, 21 Oct 2008 20:56:44 +0100 (IST)


Do you mean add 127.0.0.1 to my SPF record?
0
 
LVL 4

Accepted Solution

by:
urgoll earned 500 total points
ID: 22779281
Yes, if you were to add 'ip4:127.0.0.1' to your SPF record, the problem would likely go away.

Also note that you have this test failing: RDNS_NONE

which means that your DNS server isn't probably configured to resolve the reverse lookup of 127.0.0.1. It should reverse to 'localhost' and 'localhost' should resolve to 127.0.0.1

Regards,
Christophe
0
 
LVL 21

Author Comment

by:Julian Matz
ID: 22779892
Ok, I know how rDNS works in general, but not sure about local/internal IPs.

When I type following:
$ host 127.0.0.1

I get this:
1.0.0.127.in-addr.arpa domain name pointer localhost.

I thought it would be more likely that the RDNS_NONE rule was being applied to my client IP assigned (by my ISP) to the machine from which I sent the email?
0
 
LVL 4

Expert Comment

by:urgoll
ID: 22780763
RDNS_NONE applies to the client IP address as seen from Postfix. In this case:

Received: from [127.0.0.1] (unknown [CLIENT_IP_ADDRESS])
      by MAIL_SERVER_FQDN (Postfix) with ESMTP id 7C00B5AE
      for ; Tue, 21 Oct 2008 20:56:44 +0100 (IST)

it appears to be the localhost.

Anyway, it doesn't seem to matter. I also noticed in the SpamAssassin that RDNS_NONE can sometimes be triggered regardless of the actual rDNS status for trusted sources. Tis may be the case.

0
 
LVL 21

Author Closing Comment

by:Julian Matz
ID: 31508557
Thanks!
0

Featured Post

Simplifying Server Workload Migrations

This use case outlines the migration challenges that organizations face and how the Acronis AnyData Engine supports physical-to-physical (P2P), physical-to-virtual (P2V), virtual to physical (V2P), and cross-virtual (V2V) migration scenarios to address these challenges.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Nearly six years ago I was hired by a company to be their senior server engineer. One of my first projects was to implement Exchange Server 2007 on a Windows Server 2008 Single Copy Cluster for high availability. That was the easy part; read on to l…
The new Gmail Phishing Scam going around is surprising even the savviest of users with its sophisticated techniques.
In this video we show how to create a Shared Mailbox in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: First we need to log into the Exchange Admin Center. Navigate to the Recipients >> Sha…
To show how to create a transport rule in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: First we need to log into the Exchange Admin Center. Navigate to the Mail Flow >> Rules tab.:  To cr…

840 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question