Mailing List Archive

Spf (specifically with spamassassin)
Greetings!

I've been researching spf and spamassassin recently. It appears that
the only way to implement spf with spamassassin is to make entries for
each domain that we want to check the spf records for. I thought that
for every email we receive the spf record would be checked by telling
spamassassin to do so - but perhaps that would require too much
overhead. Any observations? Unfortunately, going through the
spamassassin and spf documentation for me can be a bit like reading
greek sometimes.

Thank You,

--
Timothy A. Kloos
NCD Corp.
33801 Curtis Blvd. #100
Eastlake, OH 44095
Phone: 440-953-4488
Fax: 440-953-9361
tkloos@ncdcorp.com



-------------------------------------------
Sender Policy Framework: http://www.openspf.org [http://www.openspf.org]
Modify Your Subscription: http://www.listbox.com/member/ [http://www.listbox.com/member/]

Archives: https://www.listbox.com/member/archive/1020/=now
RSS Feed: https://www.listbox.com/member/archive/rss/1020/
Powered by Listbox: http://www.listbox.com
Re: Spf (specifically with spamassassin) [ In reply to ]
At 20:00 12/11/2009 Thursday, Tim Kloos wrote:
>Greetings!
>
>I've been researching spf and spamassassin recently.

I respectively believe you mis-use the term research

> It appears that the only way to implement spf with spamassassin is to make entries for each domain that we want to check the spf records for. I thought that for every email we receive the spf record would be checked by telling spamassassin to do so - but perhaps that would require too much overhead. Any observations? Unfortunately, going through the spamassassin and spf documentation for me can be a bit like reading greek sometimes.

well first off i know spamassasin can check spf on all mail, extra config is only needed to teach it your forwarders and upsteam MX's
{so it dosn't check SPF on mail from them, as well they should all fail}
{but why youd want to i don't get}

the whole point of spf is to check {and make accept/reject decision} before rctp command
thus spam/forgery filtering before receiving the body of the mail

as spamassasin can only run with a full email, this means only after full data and only can reject after data recieved
{ie after you have already paid {in resources} for the spams delivery}
{thus rendering its advantages kinda useless}

but know none of the specifics because we check spf long before mail gets to spam assasin
{thus any that gets to spam assassin already has passed}


but 5 seconds "research"

reveals that opening
/etc/mail/spamassassin/init.pre

and un commenting the line
# SPF - perform SPF verification.
#
loadplugin Mail::SpamAssassin::Plugin::SPF

should do it

http://spamassassin.apache.org/full/3.2.x/doc/Mail_SpamAssassin_Conf.html
assuming you have correctly configured your trusted and internal ranges/hosts


>Thank You,
>
>--
>Timothy A. Kloos
>NCD Corp.
>33801 Curtis Blvd. #100
>Eastlake, OH 44095
>Phone: 440-953-4488
>Fax: 440-953-9361
>tkloos@ncdcorp.com
>
>
>
>-------------------------------------------
>Sender Policy Framework: http://www.openspf.org [http://www.openspf.org]
>Modify Your Subscription: http://www.listbox.com/member/ [http://www.listbox.com/member/]
>
>Archives: https://www.listbox.com/member/archive/1020/=now
>RSS Feed: https://www.listbox.com/member/archive/rss/1020/
>Powered by Listbox: http://www.listbox.com



-------------------------------------------
Sender Policy Framework: http://www.openspf.org [http://www.openspf.org]
Modify Your Subscription: http://www.listbox.com/member/ [http://www.listbox.com/member/]

Archives: https://www.listbox.com/member/archive/1020/=now
RSS Feed: https://www.listbox.com/member/archive/rss/1020/
Powered by Listbox: http://www.listbox.com
Re: Spf (specifically with spamassassin) [ In reply to ]
Tim Kloos wrote:
> I've been researching spf and spamassassin recently. It appears that
> the only way to implement spf with spamassassin is to make entries for
> each domain that we want to check the spf records for.

SpamAssassin uses SPF rather differently than it was intended to. SPF
is meant as a tool to accept/reject mail at an early stage in the SMTP
dialog, while SA is meant to be run after the body of the message has
been received.

> I thought that
> for every email we receive the spf record would be checked by telling
> spamassassin to do so - but perhaps that would require too much
> overhead.

SPF checking can be done early, as designed, possibly rejecting some
messages. SA is able to reuse SPF-Received header fields that the
receiving server had added to accepted messages. However, if no SPF
lookup had been done, SA can do it by itself.

> Any observations? Unfortunately, going through the
> spamassassin and spf documentation for me can be a bit like reading
> greek sometimes.

Messages having an SPF /pass/ are not necessarily ham. SPF only
guarantees that the message has been received from an authorized IP
address. In case you trust domain example.com, you may configure SA with

whitelist_from_spf *@example.com

That way, if example.com has an SPF policy ending in "?all", your
server will not reject messages whose envelope sender matches;
however, they will still be subject to SA filtering unless they got a
/pass/.


-------------------------------------------
Sender Policy Framework: http://www.openspf.org [http://www.openspf.org]
Modify Your Subscription: http://www.listbox.com/member/ [http://www.listbox.com/member/]

Archives: https://www.listbox.com/member/archive/1020/=now
RSS Feed: https://www.listbox.com/member/archive/rss/1020/
Powered by Listbox: http://www.listbox.com