The eclectic musings of a bitter software engineer.

How to make Postfix and SpamAssassin play nicely when using SPF

Thursday April 19, 2007 @ 05:49 PM (PDT)

I happened to be looking at the raw headers of an email today and noticed something weird. The message had been sent to me from a local user on my server, so it had never actually left the server; however, SpamAssassin had given the message a couple of spam points because it said the SPF verification had failed. I double-checked the relevant SPF records and there was nothing wrong there, so I began to suspect there might be a bug in SpamAssassin's SPF verification routine.

I tried sending an email from my server to a Gmail address (this is a good way to test SPF records, since Gmail adds headers to messages indicating whether the SPF verification succeeded). Sure enough, Gmail's SPF verification succeeded. I also sent messages to a few standard SPF test services, and they all indicated success as well. Furthermore, mail sent from Gmail to my server didn't result in an SPF failure, so SpamAssassin was verifying Gmail's SPF record correctly, but not mine.

Finally, after staring at the email headers for a few more minutes, I realized what was happening. SpamAssassin wasn't buggy; it just didn't have all the information it needed.

When a local user on my server sends mail to another local user, the mail server only adds a single "Received" header to the message, and the "from" IP in this header is the user's IP (in this case, a dynamic Comcast IP). If the email had originated from an outside mail server like Gmail, it would have had at least two "Received" headers—one for Gmail and one for my server—and SpamAssassin would verify the SPF record by checking that the handoff from Gmail to my server came from a valid IP. But since this message appeared to be originating from a dynamic IP, SpamAssassin had no way of knowing that the message actually originated on the local server, because it had no way of knowing that the user had been authenticated via Postfix SMTP auth.

As it turns out, all I had to do was tell Postfix to add a header indicating that the sender was authenticated, and then SpamAssassin was happy. Putting the following line in Postfix's main.cf file did the trick: 

smtpd_sasl_authenticated_header = yes
Post a comment

Comments

Sendmail solution?

Very useful article. I've run into exactly the same problem but I'm using sendmail and not Postfix and I can't seem to find a similar solution for sendmail.

I'm not that familiar with these server-side programs, so if anybody knows of a solution of my problem, I'd really appreciate it.
Saturday May 19, 2007 @ 08:41 AM (PDT) Posted by Jeroen

Thanks

Great article - exactly the problem I was having and the solution works like a charm. Thanks!

Monday December 31, 2007 @ 03:17 AM (PST) Posted by Steve

Thanks Big Time!

This article just kept my biggest customer of all happy – my wife!! I just got SpamAssassin running last night and noticed her outbound customer emails were getting a “decent” score on them… Ugh. Anyhow this works like a charm!

Monday November 10, 2008 @ 10:43 AM (PST) Posted by Bryn
Post a comment

Basic XHTML (including links) is allowed, just don't try anything fishy. Your comment will be auto-formatted unless you use your own <p> tags for formatting. You're also welcome to use Textile.

Don't type anything here unless you're an evil robot:


And especially don't type anything here:

Copyright © 2002-2008 Ryan Grove. All rights reserved.
Powered by Thoth.