Postini and SPF

[Martyn Drake]

I'm not sure whether it's me being downgraded to the Standard edition
of Google Apps (temporary - I will head back to Premier in a few short
days - needed to sort out my account allocation before committing) and
still using Postini (which doesn't get cancelled immediately when
terminating the Premier trial edition - thankfully), but I'm just
wondering why Google Apps is attempting to do SPF checks on Postini's
server rather than the SMTP server of the sending mail server.
Example:

Received: from psmtp.com (eu1sys200amx005.postini.com
[207.126.144.45])
by mx.google.com with SMTP id h15si7766266wxd.
2007.10.23.03.15.51;
Tue, 23 Oct 2007 03:15:52 -0700 (PDT)
Received-SPF: neutral (google.com: 207.126.144.45 is neither permitted
nor denied by best guess record for domain of org-discuss-
bou...@lists.openrightsgroup.org) client-ip=207.126.144.45;
Authentication-Results: mx.google.com; spf=neutral (google.com:
207.126.144.45 is neither permitted nor denied by best guess record
for domain of org-discu...@lists.openrightsgroup.org)
smtp.mail=org-discu...@lists.openrightsgroup.org
Received: from source ([88.208.236.142]) (using TLSv1) by
eu1sys200amx005.postini.com ([207.126.147.10]) with SMTP;
Tue, 23 Oct 2007 13:15:51 IDT

Or am I having one those weeks where I'm looking for things that
aren't there? I expect this is the case.

Regards,

Martyn
--
http://google.apps.me.uk

[t...@postini.com]

> Or am I having one those weeks where I'm looking for things that
> aren't there? I expect this is the case.

Hi Martyn,

You are correct, actually.

Postini relays incoming mail from the sender to Google Apps. From the
perspective of the Google Apps servers, the SMTP connections are
coming from Postini IP addresses, so these addresses are used for the
Google Apps SPF lookup.

Hope this helps.

Cheers,
Ted Prodromou
Postini Documentation

[Martyn Drake]

On Oct 24, 1:09 am, t...@postini.com wrote:

> Postini relays incoming mail from the sender to Google Apps. From the
> perspective of the Google Apps servers, the SMTP connections are
> coming from Postini IP addresses, so these addresses are used for the
> Google Apps SPF lookup.

Perhaps something to flag up as part of the integration, given that
Postini is doing all the donkey work for authenticating/approving/
blocking senders from spam, scam, viruses and whatnot, Google's mail
servers shouldn't be doing any further checking/authenticating.

[t...@postini.com]

Martyn,

I'll pass this on. Thanks for the suggestion.

Ted Prodromou
Postini Documentation

[Bill Bereza]

I actually have a related question with SPF. I noticed that Postini
itself doesn't seem to verify SPF records. Or at least no evidence of
it shows up in the headers.

I have configured our spam filter to always allow email from some
domains, because it is vital we don't have any false-positives for
those domains, but I would still want postini to treat as spam
anything that fails the SPF record verification.

[t...@postini.com]

Hi Bill,

Postini's inbound mail filtering does not verify SPF headers, because
it would slow down message traffic for Postini.
Instead, Postini uses other methods of spam filtering.

We do have a way to do what you're describing, but it's a little
tricky. First, add the domains to the Approved Senders list in
Postini. Then, specify the IP addresses using the "addallowedip"
command, which is available through our Batch Command interface.

For information on how to use this command, see this document:

http://www.postini.com/webdocs/admin_ee_cu/secur_iplock.html

(This command is not used frequently in Policy Management and Message
Recovery, so this link actually points to a document for another
version of the product.)

Hope this helps.

Ted Prodromou
Postini Documentation

> > Postini Documentation- Hide quoted text -
>
> - Show quoted text -