Re: [courier-users] SPF tempfail

On Wed, 30 Apr 2008, Alessandro Vesely wrote:

> Joe Laffey wrote:
>> opt BOFHSPFHARDERROR=fail
>> [...]
>> BOFHSPFHARDERROR=fail to remove the default softfail in that variable.
>
> Sounds slightly nonsensical, as a "~all" doesn't have a decent chance
> to be amended within the few days that a temporary failure can keep a
> given message in the remote host's queue.


Ah, I see your point. But how to handle a softfail just once? By putting
softfail in the list of BOFHSPFMAILFROM I am ignoring softfails, and
passing them anyway... right?






>
> > Odd thing is that it is tempfailing on an address/ip combo that should
be
> > working (xxxx@aol.com and 64.12.138.200).
>
> In facts, I get
>
> # rfc1035/testspf xxxx@aol.com 64.12.138.200 ...
> pass
>
> According to http://www.openspf.org/RFC_4408 , you can get a TempError
> as a consequence of DNS lookup failures or timeouts.

Yes. This was what I tested, and why I thought it was odd that this
address/ip combination was tempfailing (4xxx error code).

I added "error" to BOFHSPFMAILFROM and this seems to have fixed it.

It would be very nice if the SPF checking code would log the type of
failure (the SPF keyword, e.g. "pass", "fail", "softfail", "error") with
each logged rejection. This would make it easier to tell what was
happening.



>
> > Also is there a way to instruct courier to ignore SPF for certain
domains?
>
> AFAIK no. That should be amended, to fix forwarding. (One should login
> in order to submit mail without SPF checking. However, authenticated
> hosts currently get full RELAYCLIENT permissions.)
>


Would be nice for instances when some client "must" receive mail from
somebody who has their SPF records set incorrectly (like they have them
set conservatively and the sender is on the road using some other SMTP,
when they should be logging in to the corporate SMTP, etc.).


I also removed the entry for BOFHSPFFROM, setting it to "all". Like the
docs say, this caused problems with mailing list messages, blocking any
original FROM addreses with SPF records when the message was relayed
through the list server...


This leaves me with:

opt BOFHSPFMAILFROM=pass,none,softfail,neutral,unknown ,error
opt BOFHSPFFROM=all
opt BOFHSPFHARDERROR=fail


Comments appreciated.

Thanks,

--
Joe Laffey | Visual Effects for Film and Video
LAFFEY Computer Imaging | -------------------------------------
St. Louis, MO | Show Reel http://LAFFEY.tv/?e10302
USA | -------------------------------------
.. | -*- Digital Fusion Plugins -*-
--------------------------------------------------------------------------

-------------------------------------------------------------------------
This SF.net email is sponsored by the 2008 JavaOne(SM) Conference
Don't miss this year's exciting event. There's still time to save $100.
Use priority code J8TL2D2.
http://ad.doubleclick.net/clk;198757...un.com/javaone
_______________________________________________
courier-users mailing list
courier-users@lists.sourceforge.net
Unsubscribe: https://lists.sourceforge.net/lists/.../courier-users