SPF Scans on outgoing mail

Julian Field MailScanner at ecs.soton.ac.uk
Tue Oct 31 19:15:40 GMT 2006 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

I ended up setting up an SPF record which effectively says nothing about 
who can send mail as us from anywhere. It was the only practical 
solution to our environment where we have large numbers of travelling 
academics, often using hotel networks which don't allow VPN traffic, or 
hijack SMTP connections to the hotel's ISP's own mail servers so you 
cannot stop the email appearing to originate from outside our network. 
SPF is just not practical for us, so I had to work around it.

Check the SPF record for ecs.soton.ac.uk if you want to see how to do it.

Josh Dayberry wrote:
> For someone reason when someone send an e-mail (including myself) with smtp
> auth, the e-mail is scanned, then sent to the recipient, the SPF tests will
> fail on my server's copy of mailscanner because the e-mail appears to be
> from the users computer not the server, but after the e-mail has been
> delivered to another server, it no longer appears as being sent from only
> the users computer so the SPF tests pass.
>
> The SPF tests are my primary concern because they are the greatest source of
> false positives, but ultimately I would rather just not scan e-mails sent
> from users who as authenticated.
>
> Thanks again,
> Josh Dayberry
>
> -----Original Message-----
> From: mailscanner-bounces at lists.mailscanner.info
> [mailto:mailscanner-bounces at lists.mailscanner.info] On Behalf Of Alex Neuman
> Sent: Monday, October 30, 2006 5:21 PM
> To: MailScanner discussion
> Subject: Re: SPF Scans on outgoing mail
>
> Josh Dayberry escribió:
>   
>> Here is my problem. I have many mobile users of my server. When they 
>> send e-mail their e-mail fails the SPF tests and their IP is submitted 
>> for RBL tests and things of that sort. However, all users with the 
>> ability to send e-mail on my server should not have their e-mail 
>> scanned at all. Unfortunately I haven’t been able to figure out how to 
>> stop MailScanner from scanning e-mail received from users who 
>> authenticate. Any ideas would be appreciated.
>>
>> Josh Dayberry
>>
>> josh at thematthewsgroup.com
>>
>>     
> The mobile users aren't using your server; they're using someone else's 
> server to send out e-mail that should be going out of your server.
>
> Your SPF record is showing the following:
>
> "v=spf1 a mx -all"
>
> Which means only your MX's are allowed to send mail out as 
> thematthewsgroup.com; if your users are *actually* connecting to your 
> server, and they're authenticating themselves properly (not using 
> POP-before-SMTP but *actual* SMTP AUTH), then your SPF checks should 
> work, in theory. All of mine do.
>
> What are you using for SPF? In the meantime you can add "~all" instead 
> of "-all" to mitigate (not eliminate) the problem while you find out 
> what's wrong.
>   

Jules

- -- 
Julian Field MEng CITP
www.MailScanner.info
Buy the MailScanner book at www.MailScanner.info/store

MailScanner customisation, or any advanced system administration help?
Contact me at Jules at Jules.FM

PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654
For all your IT requirements visit www.transtec.co.uk




-----BEGIN PGP SIGNATURE-----
Version: PGP Desktop 9.5.0 (Build 1112)
Comment: Fetch my public key foot-print from www.mailscanner.info
Charset: windows-1252

wj8DBQFFR6EPEfZZRxQVtlQRAhsTAKCpfk8DZ08Q42tQxN+VpgxePw7VUACeJ90G
c1pcQv7YEpG9Irl0pyeDpsg=
=ypII
-----END PGP SIGNATURE-----

More information about the MailScanner mailing list