Yahoo Groups archive
Thread
2007-04-29 by Jim Hermann
Is it possible to use SPF in an ACL to over-ride other ACLs or increase the delay or overide lazyness? I don't want to bypass greylisting for SPF-compliant email. I want to make sure that non-SPF-compliant email gets greylisted, especially if SPF fails hard. Jim
2007-04-29 by Emmanuel Dreyfus
On Sun, Apr 29, 2007 at 02:10:10PM -0000, Jim Hermann wrote: > Is it possible to use SPF in an ACL to over-ride other ACLs or > increase the delay or overide lazyness? Yes, you can do that with 4.0 beta. -- Emmanuel Dreyfus manu@...
2007-04-29 by Seth Mos
> Is it possible to use SPF in an ACL to over-ride other ACLs or > increase the delay or overide lazyness? Read the greylist.conf manpage. > I don't want to bypass greylisting for SPF-compliant email. See above. It seems silly to do so. I don't understand why you would want to do that. You could also compile a version without libspf ofcourse. > I want to make sure that non-SPF-compliant email gets greylisted, > especially if SPF fails hard. If the spf test fails, you drop through to the next acl in line. Seriously though, you should allow as much mail as you can without delay if you can verify the sending party. If the spf record matches it is very likely that the sending party is a normal mail server and you would get the message anyways. Cheers, Seth
2007-04-29 by Emmanuel Dreyfus
On Sun, Apr 29, 2007 at 05:02:22PM +0200, Seth Mos wrote: > Seriously though, you should allow as much mail as you can without delay > if you can verify the sending party. If the spf record matches it is very > likely that the sending party is a normal mail server and you would get > the message anyways. A spammer can operate by usurpating a sender address within a domain where SPF allows mail from any source. I think you can use SPF as a very sharp negative hint: if it fails, then the mail should probably be rejected. If it passes, and if it is in some domain you know for having a restricted set of senders in the SPF record, then you should probably whitelist. In other cases, I'm not sure it should weight in either side. -- Emmanuel Dreyfus manu@...
2007-05-14 by manu@netbsd.org
LE BOURDOULOUS Alain DSIC BEERTD CGN Messagerie <alain.lebourdoulous@...> wrote: > <!DOCTYPE html Please post in plain text. Not everyone use a browser for reading e-mail. -- Emmanuel Dreyfus http://hcpnet.free.fr/pubz manu@...
2007-05-14 by manu@netbsd.org
LE BOURDOULOUS Alain DSIC BEERTD CGN Messagerie <alain.lebourdoulous@...> wrote: > The spf option is very interresting, but I have a problem so I can't set > this option. > When the dns txt record is set with only +all option, the domain is use > by spammer. > > I think that it should be very useful to greylist the entry when the dns > configuration is like that. Yes, this has been discussed before: filtering on SPF should be improved, probably this way: spf pass SPF record exists and passed spf none no SPF record spf fail SPF record exists and failed spf open SPF record exists and match any host Probably a feature for after 4.0 release. -- Emmanuel Dreyfus http://hcpnet.free.fr/pubz manu@...
2007-08-05 by Jim Hermann
--- In milter-greylist@yahoogroups.com, manu@... wrote:
>
> Yes, this has been discussed before: filtering on SPF should be
> improved, probably this way:
> spf pass SPF record exists and passed
> spf none no SPF record
> spf fail SPF record exists and failed
> spf open SPF record exists and match any host
>
> Probably a feature for after 4.0 release.
Is there any way to get this upgraded feature in the current 4.0
alpha version? These are the results of the standard SPF client:
result = 'pass' / 'fail' / 'error' / 'softfail' / 'neutral' /
'none' / 'unknown'
Example headers generated by mybox.example.org:
Received-SPF: pass (mybox.example.org: domain of
myname@... designates 192.0.2.1 as
permitted sender)
receiver=mybox.example.org;
client-ip=192.0.2.1;
envelope-from=<myname@example.com>;
helo=foo.example.com;
Received-SPF: fail (mybox.example.org: domain of
myname@example.com does not designate
192.0.2.1 as permitted sender)
receiver=mybox.example.org;
client-ip=192.0.2.1;
envelope-from=<myname@...>;
helo=foo.example.com;
Received-SPF: softfail (mybox.example.org: domain of
transitioning myname@... does
not
designate 192.0.2.1 as permitted
sender)
Received-SPF: neutral (mybox.example.org: 192.0.2.1 is neither
permitted nor denied by domain of
myname@...)
Received-SPF: none (mybox.example.org: myname@... does
not designated permitted sender hosts)
Received-SPF: unknown -extension:foo (mybox.example.org:
domain
of myname@example.com
uses
mechanism not
recognized by
this client)
Received-SPF: error (mybox.example.org: error in processing
during lookup of myname@...: DNS
timeout)
SPF clients may append zero or more of the following key-value-
pairs
at their discretion:
receiver the hostname of the SPF client
client-ip the IP address of the SMTP client
envelope-from the envelope sender address
helo the hostname given in the HELO or EHLO command
mechanism the mechanism that matched (if no mechanisms
matched, substitute the word "default".)
problem if an error was returned, details about the
error2007-08-05 by manu@netbsd.org
Jim Hermann <hostmaster@...> wrote: > s there any way to get this upgraded feature in the current 4.0 > alpha version? The goal is to push 4.0 out ASAP and to start over adding fancy features. I've been retaining the 4.0 release because of instability reports. 4.0a6 seems stable at mine. Any other feedback from users? -- Emmanuel Dreyfus http://hcpnet.free.fr/pubz manu@...