pypolicyd-spf

Mail Filtering Forwarders and IP addresses

Asked by Stephen Maher

Hi There,

Thank you for taking the time to write this software.. I'm hoping you guys will be able to help with an issue we are having..

We have a third party mail filtering company called postini which is setup as our public MX records facing the internet..

An example mailflow would be:

A mail is sent from Bob's ISP 1.2.3.4 to Postini (64.18.5.10) (got via mx records)
Postini filters............
Postini (64.18.1.114) then forwards the mail to our mail server somewhere.overthe.com (9.3.4.2) where our policyd-spf is installed.

Its between postini 64.18.1.114 and our mailserver (somewhere.overthe.com) that our SPF lookup runs using the "mail from: <email address hidden>" and the sender IP is always going to be the same which is postini (64.18.1.114). policyd-spf doesnt seem to notice the mail is forwarded and i dont see an option to change what header element it should be looking at for the IP rather than the IP level connecting IP

policyd-spf[9020]: X-Comment: SPF skipped for whitelisted relay - client-ip=64.18.1.141; helo=psmtp.com; <email address hidden>; <email address hidden>

We have added postini's ip range to the whitelist however it appears its trusting every mail that comes through..

Would anyone have any ideas how to get around this or if anyone else has come across this issue

Many thanks
Stephen

Question information

Language:
English Edit question
Status:
Solved
For:
pypolicyd-spf Edit question
Assignee:
No assignee Edit question
Solved by:
Stephen Maher
Solved:
Last query:
Last reply:
Revision history for this message
Stephen Maher (stephen-maher) said : 		#1

Debug if it helps :-)

May 8 18:08:09 mailsrv postfix/smtpd[5789]: connect from exprod6mx192.postini.com[64.18.1.204]
May 8 18:08:10 mailsrv policyd-spf[7114]: Starting
May 8 18:08:10 mailsrv policyd-spf[7114]: Read line: "request=smtpd_access_policy"
May 8 18:08:10 mailsrv policyd-spf[7114]: Read line: "protocol_state=RCPT"
May 8 18:08:10 mailsrv policyd-spf[7114]: Read line: "protocol_name=SMTP"
May 8 18:08:10 mailsrv policyd-spf[7114]: Read line: "client_address=64.18.1.204"
May 8 18:08:10 mailsrv policyd-spf[7114]: Read line: "client_name=exprod6mx192.postini.com"
May 8 18:08:10 mailsrv policyd-spf[7114]: Read line: "reverse_client_name=exprod6mx192.postini.com"
May 8 18:08:10 mailsrv policyd-spf[7114]: Read line: "helo_name=psmtp.com"
May 8 18:08:10 mailsrv policyd-spf[7114]: Read line: "<email address hidden>"
May 8 18:08:10 mailsrv policyd-spf[7114]: Read line: "<email address hidden>"
May 8 18:08:10 mailsrv policyd-spf[7114]: Read line: "recipient_count=0"
May 8 18:08:10 mailsrv policyd-spf[7114]: Read line: "queue_id="
May 8 18:08:10 mailsrv policyd-spf[7114]: Read line: "instance=169d.4fa952fa.1e136.0"
May 8 18:08:10 mailsrv policyd-spf[7114]: Read line: "size=0"
May 8 18:08:10 mailsrv policyd-spf[7114]: Read line: "etrn_domain="
May 8 18:08:10 mailsrv policyd-spf[7114]: Read line: "stress="
May 8 18:08:10 mailsrv policyd-spf[7114]: Read line: "sasl_method="
May 8 18:08:10 mailsrv policyd-spf[7114]: Read line: "sasl_username="
May 8 18:08:10 mailsrv policyd-spf[7114]: Read line: "sasl_sender="
May 8 18:08:10 mailsrv policyd-spf[7114]: Read line: "ccert_subject="
May 8 18:08:10 mailsrv policyd-spf[7114]: Read line: "ccert_issuer="
May 8 18:08:10 mailsrv policyd-spf[7114]: Read line: "ccert_fingerprint="
May 8 18:08:10 mailsrv policyd-spf[7114]: Read line: "encryption_protocol="
May 8 18:08:10 mailsrv policyd-spf[7114]: Read line: "encryption_cipher="
May 8 18:08:10 mailsrv policyd-spf[7114]: Read line: "encryption_keysize=0"
May 8 18:08:10 mailsrv policyd-spf[7114]: Read line: ""
May 8 18:08:10 mailsrv policyd-spf[7114]: Found the end of entry
May 8 18:08:10 mailsrv policyd-spf[7114]: Config: {'Mail_From_reject': 'Fail', 'Whitelist': '64.18.0.0/20', 'PermError_reject': 'False', 'HELO_reject': 'SPF_Not_Pass', 'Header_Type': 'SPF', 'defaultSeedOnly': 0, 'debugLevel': 4, 'skip_addresses': '10.0.0.0/8,127.0.0.0/8,::ffff:127.0.0.0//104,::1//128', 'TempError_Defer': 'False'}
May 8 18:08:10 mailsrv policyd-spf[7114]: Cached data for this instance: []
May 8 18:08:10 mailsrv policyd-spf[7114]: X-Comment: SPF skipped for whitelisted relay - client-ip=64.18.1.204; helo=psmtp.com; <email address hidden>; <email address hidden>
May 8 18:08:10 mailsrv policyd-spf[7114]: Action: prepend: Text: X-Comment: SPF skipped for whitelisted relay - client-ip=64.18.1.204; helo=psmtp.com; <email address hidden>; <email address hidden>
May 8 18:08:11 mailsrv postfix/smtpd[5789]: disconnect from exprod6mx192.postini.com[64.18.1.204]

Revision history for this message
Scott Kitterman (kitterman) said : 		#2

This is the nature of SPF's design. pypolicyd-spf can only look at the incoming IP address and see if it matches the SPF record of the sender. In the architecture you are using, that would always be postini. SPF checking needs to be done at the border between the sender's network and the receiver's network.

In your case that's at postini. Ideally, they would check SPF and then add either a Received-SPF or Authentication Results header to the message so that you can the SPF result they got for whatever processing you choose to do (for example, Spamassassin consumes these when they are from trusted hosts and uses them for scoring). What you can't do at your server is do SMTP time rejection. Doing that would cause backscatter directed at innocent third parties whose domains have been forged.

Revision history for this message
Stephen Maher (stephen-maher) said : 		#3

Hi Scott,

Thank you for the clarification

Kind regards
Stephen