SPF logic
0 views
Skip to first unread message
Jim Pazarena
Dec 8, 2025, 5:00:19 PM (10 days ago) Dec 8
to ques...@freebsd.org
I set up SPF for my domains, which has been in place for quite a while.
I recently set up incoming SSL/TLS + authentication for customers' emails.
I am finding now that remotely connected customers (such as those away
on holidays) are being denied by the SPF rules because they are no
longer on a local subnet, and now filtering in to the SPF rules.
I am wondering what logic I need to put in place to let them bypass the
SPF if they come in by local SSL authentication ? I can't quite reason
it out. Thanks for any suggestions/advice.
--
Jim Pazarena fqu...@paz.bz
Haida Gwaii - British Columbia - Canada
I recently set up incoming SSL/TLS + authentication for customers' emails.
I am finding now that remotely connected customers (such as those away
on holidays) are being denied by the SPF rules because they are no
longer on a local subnet, and now filtering in to the SPF rules.
I am wondering what logic I need to put in place to let them bypass the
SPF if they come in by local SSL authentication ? I can't quite reason
it out. Thanks for any suggestions/advice.
--
Jim Pazarena fqu...@paz.bz
Haida Gwaii - British Columbia - Canada
Doug Hardie
Dec 8, 2025, 5:19:53 PM (10 days ago) Dec 8
to Jim Pazarena, ques...@freebsd.org
> On Dec 8, 2025, at 13:59, Jim Pazarena <fqu...@paz.bz> wrote:
>
> I set up SPF for my domains, which has been in place for quite a while.
>
> I recently set up incoming SSL/TLS + authentication for customers' emails.
>
> I am finding now that remotely connected customers (such as those away on holidays) are being denied by the SPF rules because they are no longer on a local subnet, and now filtering in to the SPF rules.
>
> I am wondering what logic I need to put in place to let them bypass the SPF if they come in by local SSL authentication ? I can't quite reason it out. Thanks for any suggestions/advice.
The solution to this will be dependent on the MTA you are using. You should probably ask on the maillist for that MTA.
>
> I set up SPF for my domains, which has been in place for quite a while.
>
> I recently set up incoming SSL/TLS + authentication for customers' emails.
>
> I am finding now that remotely connected customers (such as those away on holidays) are being denied by the SPF rules because they are no longer on a local subnet, and now filtering in to the SPF rules.
>
> I am wondering what logic I need to put in place to let them bypass the SPF if they come in by local SSL authentication ? I can't quite reason it out. Thanks for any suggestions/advice.
-- Doug
Jim Pazarena
Dec 8, 2025, 6:02:14 PM (10 days ago) Dec 8
to ques...@freebsd.org
oh my goodness. I posted to the wrong newsgroup.
I am so sorry for this wasted space!
I am so sorry for this wasted space!
Marco Moock
Dec 9, 2025, 1:08:36 AM (10 days ago) Dec 9
to ques...@freebsd.org
On 08.12.2025 13:59 Jim Pazarena <fqu...@paz.bz> wrote:
> I am wondering what logic I need to put in place to let them bypass
> the SPF if they come in by local SSL authentication ? I can't quite
> reason it out. Thanks for any suggestions/advice.
This is something the SPF milter needs to handle. Sendmail offers the
> I am wondering what logic I need to put in place to let them bypass
> the SPF if they come in by local SSL authentication ? I can't quite
> reason it out. Thanks for any suggestions/advice.
milter interface where a milter can get the information that a user is
successfully authenticated, so it can bypass the SPF check.
--
kind regards
Marco
Send spam to abfall17...@stinkedores.dorfdsl.de
Frank Leonhardt
Dec 13, 2025, 5:32:23 AM (6 days ago) Dec 13
to ques...@freebsd.org
question on when you're using FreeBSD (within reason) and someone might
redirect you to a better list if appropriate. However, top posting won't
be forgiven !!! :-)
I can't answer your question as you haven't said what configuration
you're using, but assuming it's FreeBSD base (sendmail) + dovecot (the
stock IMAP server really isn't the way to go) then you should be using a
submission port. You're using saslauthd to authenticate users, right?
Configure sendmail to skip filtering on the submission port with
authenticated users.
You may have something like this:
define(`confINPUT_MAIL_FILTERS', `spamassassin')
INPUT_MAIL_FILTER(`spamassassin', `S=local:/var/run/spamass-milter.sock,
F=T,T=C:5m;S:4m;R:3m;E:9m')
DAEMON_OPTIONS(`Port=smtp, Name=MTA, Address=1.2.3.4')
DAEMON_OPTIONS(`Port=submission, Name=MSA2, M=a, Address=1.2.3.4,
InputMailFilters=')
The first two lines declare spamassassin as a filter, which will apply
to all ports.
The third configures port 25 (smtp), which will have the filters applied.
The fourth configures port 587 but, but leaves off the default filters.
This is the trick!
As Doug pointed out, you might want to try a specific mailing list for
the mailer you're using.
Regards, Frank.
Reply all
Reply to author
Forward
0 new messages