SA Bugzilla – Bug 3962
SPF check fails for roaming users
Last modified: 2004-12-15 04:49:34 UTC
For systems employing SPF which have 'roaming' users (connecting back to their 'home' mailserver via SMTP AUTH), the SPF check gives a SPF_FAIL result with a sufficiently strict SPF record. The first hop from the roaming user to the home mailserver will generally not be authorized to send out e-mail on behalf of the SPF enabled domain. The home mailserver may still allow mail relay, as it can have a different means of authenticating the client. The latter is however lost further on and when SpamAssassin evaluates the chain of systems from untrusted networks, it will do so including this first hop. This is wrong. The correct way to evaluate SPF would be to stop processing when a system is found that does evaluate to anything except SPF_FAIL. From this point (which should be regarded as the 'injectionpoint') down to the first hop is irrelevant in terms of SPF. There can be several systems between the injectionpoint and the first hop, which use different methods of authorizing mail relay. SPF has no meaning there. As an example, the following "Received:" lines: Received: from localhost (localhost [127.0.0.1]) by mail.de-korte.org (Postfix) with ESMTP id 52F3F60328 for <MUNGED@de-korte.org>; Wed, 3 Nov 2004 14:35:32 +0100 (CET) Received: from mail.de-korte.org (localhost [127.0.0.1]) by localhost (AvMailGate-2.0.2-9) id 07732-0140F736; Wed, 03 Nov 2004 14:35:31 +0100 Received: from [10.0.0.2] (ip51cfcd61.direct-adsl.nl [81.207.205.97]) by mail.de-korte.org (Postfix) with ESMTP id 124B160328 for <MUNGED@de-korte.org>; Wed, 3 Nov 2004 14:35:30 +0100 (CET) To keep you all from looking up the SPF record for 'de-korte.org', the (multihomed) system 'mail.de-korte.org' is the one and only system allowed by SPF to send mail on behalf of the 'de-korte.org' domain. However, the person on ip51cfcd61.direct-adsl.nl may connect to this system via SMTP AUTH and is allowed then to relay mail through that server. Yet it will give SPF_FAIL with SpamAssassin, as it is not in the list of trusted_networks.
Checking the trusted headers to see if they 'match the SPF record' of the sender would indeed prevent the SPF_FAIL result. However, given that the remote user is authenticated there is no reason to do an SPF check at all, as we can simply extend the trust boundary. Bug 2462 resolves this issue.
yep bug 2462 is the fix for this, now applied; by detecting valid authentication using SMTP AUTH et al, we avoid this error on "injection" servers. this should therefore now be fixed in SVN. please reopen (with a sample message attachment) if not...