SPF Checking

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
5 messages Options
Reply | Threaded
Open this post in threaded view
|

SPF Checking

Ray Jette

Good afternoon,

I am using Postfix with postfix-policyd-spf-python for SPF. This is rejecting mail from the HELO verb. According to RFC 4008:

 

   The "HELO" identity derives from either the SMTP HELO or EHLO command

   (see [RFC2821]).  These commands supply the SMTP client (sending

   host) for the SMTP session.  Note that requirements for the domain

   presented in the EHLO or HELO command are not always clear to the

   sending party, and SPF clients must be prepared for the "HELO"

   identity to be malformed or an IP address literal.  At the time of

   this writing, many legitimate E-Mails are delivered with invalid HELO

   domains.

 

Is there a way to disable SPF checking in the HELO part of a message? Also, is there a way to bypass spf for a given host or domain?

 

Thanks,

Ray Jette

Reply | Threaded
Open this post in threaded view
|

Re: SPF Checking

mouss-2
Raymond Jette wrote:
> Good afternoon,
>
> I am using Postfix with postfix-policyd-spf-python for SPF. This is
> rejecting mail from the HELO verb. According to RFC 4008:
> [snip]
>
> Is there a way to disable SPF checking in the HELO part of a message?

if postfix-policyd-spf-* supports X rays, you can try to get postfix to
send some... :)

more seriously, this is a question for that policy server developper...

> Also, is there a way to bypass spf for a given host or domain?

you can call the policy service based on the results of a
check_mumble_access.

example:

smtpd_sender_restrictions =
        check_sender_access hash:/etc/postfix/sender_access

smtpd_restriction_classes = check_spf

check_spf = ...

== sender_access
example.com check_spf
example.org dunno
sub.example.org check_spf



Reply | Threaded
Open this post in threaded view
|

Re: SPF Checking

Brian Evans - Postfix List
In reply to this post by Ray Jette
Raymond Jette wrote:

>
> Good afternoon,
>
> I am using Postfix with postfix-policyd-spf-python for SPF. This is
> rejecting mail from the HELO verb. According to RFC 4008:
>
>  
>
>    The "HELO" identity derives from either the SMTP HELO or EHLO command
>
>    (see [RFC2821]).  These commands supply the SMTP client (sending
>
>    host) for the SMTP session.  Note that requirements for the domain
>
>    presented in the EHLO or HELO command are not always clear to the
>
>    sending party, and SPF clients must be prepared for the "HELO"
>
>    identity to be malformed or an IP address literal.  At the time of
>
>    this writing, many legitimate E-Mails are delivered with invalid HELO
>
>    domains.
>
>  
>
> Is there a way to disable SPF checking in the HELO part of a message?
> Also, is there a way to bypass spf for a given host or domain?
>
>  
>
> Thanks,
>
> Ray Jette
>
Unfortunately, Postfix does not control this behavior.

Help is best found from spf-help at http://www.openspf.org/Forums

Brian
Reply | Threaded
Open this post in threaded view
|

Re: SPF Checking

Scott Kitterman-4
In reply to this post by Ray Jette
On Tue, 26 Aug 2008 12:16:00 -0400 "Raymond Jette" <[hidden email]>
wrote:

>Good afternoon,
>
>I am using Postfix with postfix-policyd-spf-python for SPF. This is
>rejecting mail from the HELO verb. According to RFC 4008:
>
>
>
>   The "HELO" identity derives from either the SMTP HELO or EHLO command
>
>   (see [RFC2821]).  These commands supply the SMTP client (sending
>   host) for the SMTP session.  Note that requirements for the domain
>   presented in the EHLO or HELO command are not always clear to the
>   sending party, and SPF clients must be prepared for the "HELO"
>   identity to be malformed or an IP address literal.  At the time of
>   this writing, many legitimate E-Mails are delivered with invalid HELO
>   domains.
 
The policy server is designed with this in mind.  Broken HELO names will
not cause it to reject mail.  If it is, it's a bug and I'd appreciate
evidence in the form of logs so I can fix it.

>Is there a way to disable SPF checking in the HELO part of a message?

Yes.

>Also, is there a way to bypass spf for a given host or domain?

Yes.

See the man pages installed with the package for details.

If you need more help, the spf-help mailing list is probably more
appropriate.  See http://www.openspf.org/Forums for information on how to
subscribe.

Scott K
Reply | Threaded
Open this post in threaded view
|

RE: SPF Checking

Ray Jette
Thanks for the help. I found the problem in
/etc/postfix-policyd-spf-python/policy-spf.conf file.
Helo check rejection policy was set To:
HELO_reject = SPF_Not_Pass
I set this to HELO_reject = Null

Thanks again,
Ray

-----Original Message-----
From: [hidden email]
[mailto:[hidden email]] On Behalf Of Scott Kitterman
Sent: Tuesday, August 26, 2008 12:48 PM
To: [hidden email]
Subject: Re: SPF Checking

On Tue, 26 Aug 2008 12:16:00 -0400 "Raymond Jette" <[hidden email]>
wrote:
>Good afternoon,
>
>I am using Postfix with postfix-policyd-spf-python for SPF. This is
>rejecting mail from the HELO verb. According to RFC 4008:
>
>
>
>   The "HELO" identity derives from either the SMTP HELO or EHLO
command
>
>   (see [RFC2821]).  These commands supply the SMTP client (sending
>   host) for the SMTP session.  Note that requirements for the domain
>   presented in the EHLO or HELO command are not always clear to the
>   sending party, and SPF clients must be prepared for the "HELO"
>   identity to be malformed or an IP address literal.  At the time of
>   this writing, many legitimate E-Mails are delivered with invalid
HELO
>   domains.
 
The policy server is designed with this in mind.  Broken HELO names will

not cause it to reject mail.  If it is, it's a bug and I'd appreciate
evidence in the form of logs so I can fix it.

>Is there a way to disable SPF checking in the HELO part of a message?

Yes.

>Also, is there a way to bypass spf for a given host or domain?

Yes.

See the man pages installed with the package for details.

If you need more help, the spf-help mailing list is probably more
appropriate.  See http://www.openspf.org/Forums for information on how
to
subscribe.

Scott K