PASS when expecting a NONE

Asked by Erik

I am spoofing a MAIL FROM header when sending a mail. I expect policyd-spf to verify 2 things:

1. HELO SENDER IP verification
2. The SPF record at the domain of the spoofed MAIL FROM address

This is the SPF part of the source of the received mail.
"Received-SPF: Pass (helo) identity=helo; client-ip=1.2.3.4; helo=a.website.com; <email address hidden>; <email address hidden>"

Assuming HELO of a.website.com has IP 1.2.3.4.
And autowasstraat.nl has NO SPF record at all.

I look at the logs with debuglevel = 5, policyd-spf.

1. HELO check passes, this is expected
2. There is no SPF record, the result is NONE

I expect policyd-spf to prepend the text NONE in the header of the mail. However, it PASSES.
It this desired and expected behavior?

Using 2.0.2

Question information

Language:
English Edit question
Status:
Answered
For:
pypolicyd-spf Edit question
Assignee:
No assignee Edit question
Last query:
Last reply:
Revision history for this message
Scott Kitterman (kitterman) said :
#1

Given the default configuration, that is expected. If you only want the HELO result to be used when there is no Mail From, then change your configuration to set:

HELO_reject = Null

See policyd-spf.conf.commented or man 5 policyd-spf.conf for details on options you can set for HELO checks.

Can you help with this problem?

Provide an answer of your own, or ask Erik for more information if necessary.

To post a message you must log in.