Solved

SPF_SOFTFAIL on local mail

Posted on 2008-10-21
8
834 Views
Last Modified: 2013-12-09
Hi!

Apparently SPF records do not get checked when receiving mail from local senders (e.g. when I send mail to myself). However, SpamAssassin's SPF_SOFTFAIL rule still kicks in. It probably doesn't matter much since that rule isn't going to bump up the score high enough on genuine local mail to get tagged but still something that should get fixed regardless ....

Any ideas/help would be appreciated.
0
Comment
Question by:Julian Matz
  • 4
  • 4
8 Comments
 
LVL 4

Expert Comment

by:urgoll
Comment Utility
Hello,
if SpamAssassin triggers a SPF_SOFTFAIL, then it means that you do have a SPF record for your domain. If so, you should either:
- modify your SPF record to allow mail from local sources
- configure spamassassin to NOT do SPF checks on your domain using:
whitelist_from_spf *@example.com

but that would allow spammers to spoof your own domain, thus reducing the usefulness of SPF checks.

Regards,
Christophe
0
 
LVL 21

Author Comment

by:Julian Matz
Comment Utility
Hi Christophe,

I do have SPF set up for my domain. It seems to be set up correctly and when I run tests using my mail server's IPs they all result in SPF Pass. Postfix also seems to be set up correctly since I can see (SPF none | SPF pass | SPF softfail) in message headers. It's just when I send mail from one of my own accounts to myself that (presumably) Postfix doesn't check SPF but SA does. Does this make sense?
0
 
LVL 4

Expert Comment

by:urgoll
Comment Utility
How do you send emails to yourself ? Do you sent your SMTP server on your mail client to your postfix server on port 25, or do you use some other server ?

Assuming you are using postfix as your SMTP server, then it is not doing the SPF check as it hits the 'permit_mynetworks' smtpd restriction rule. However, SpamAssassin has no such knowledge of 'allowed local subnets' and doesn't make a difference between original submission and relaying. So you may have to add to your SPF record your local network addresses as allowed senders.
0
 
LVL 21

Author Comment

by:Julian Matz
Comment Utility
I use my mail client (Mozilla Thunderbird) to connect to my SMTP server (Postfix) on port 25.

These are the headers I receive:

X-Spam-Status: No, score=-1.3 required=5.0 tests=AWL,BAYES_00,RDNS_NONE,
      SPF_SOFTFAIL autolearn=no version=3.2.3

Received: from [127.0.0.1] (unknown [CLIENT_IP_ADDRESS])
      by MAIL_SERVER_FQDN (Postfix) with ESMTP id 7C00B5AE
      for <info@xxxxx.com>; Tue, 21 Oct 2008 20:56:44 +0100 (IST)


Do you mean add 127.0.0.1 to my SPF record?
0
Complete Microsoft Windows PC® & Mac Backup

Backup and recovery solutions to protect all your PCs & Mac– on-premises or in remote locations. Acronis backs up entire PC or Mac with patented reliable disk imaging technology and you will be able to restore workstations to a new, dissimilar hardware in minutes.

 
LVL 4

Accepted Solution

by:
urgoll earned 500 total points
Comment Utility
Yes, if you were to add 'ip4:127.0.0.1' to your SPF record, the problem would likely go away.

Also note that you have this test failing: RDNS_NONE

which means that your DNS server isn't probably configured to resolve the reverse lookup of 127.0.0.1. It should reverse to 'localhost' and 'localhost' should resolve to 127.0.0.1

Regards,
Christophe
0
 
LVL 21

Author Comment

by:Julian Matz
Comment Utility
Ok, I know how rDNS works in general, but not sure about local/internal IPs.

When I type following:
$ host 127.0.0.1

I get this:
1.0.0.127.in-addr.arpa domain name pointer localhost.

I thought it would be more likely that the RDNS_NONE rule was being applied to my client IP assigned (by my ISP) to the machine from which I sent the email?
0
 
LVL 4

Expert Comment

by:urgoll
Comment Utility
RDNS_NONE applies to the client IP address as seen from Postfix. In this case:

Received: from [127.0.0.1] (unknown [CLIENT_IP_ADDRESS])
      by MAIL_SERVER_FQDN (Postfix) with ESMTP id 7C00B5AE
      for ; Tue, 21 Oct 2008 20:56:44 +0100 (IST)

it appears to be the localhost.

Anyway, it doesn't seem to matter. I also noticed in the SpamAssassin that RDNS_NONE can sometimes be triggered regardless of the actual rDNS status for trusted sources. Tis may be the case.

0
 
LVL 21

Author Closing Comment

by:Julian Matz
Comment Utility
Thanks!
0

Featured Post

6 Surprising Benefits of Threat Intelligence

All sorts of threat intelligence is available on the web. Intelligence you can learn from, and use to anticipate and prepare for future attacks.

Join & Write a Comment

Suggested Solutions

Microsoft Outlook is not just an email client but it is full featured Personal Information Manager. But sometimes Outlook gets disconnected and you simply can’t access it. What steps can you perform before calling IT support? In this article we will…
Resolve DNS query failed errors for Exchange
In this video we show how to create a Resource Mailbox in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: Navigate to the Recipients >> Resources tab.: "Recipients" is our default selection …
In this video we show how to create an email address policy in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.:  First we need to log into the Exchange Admin Center. Navigate to the Mail Flow…

772 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

10 Experts available now in Live!

Get 1:1 Help Now