[bug] Outbound messages sent from a 'relay' ip get a 'SPF_FAIL' spam hit

[rmoesbergen]

Messages sent using baruwa as a relay (smarthost) get an 'SPF_FAIL' spam hit, even though the IP address of the host sending the message is on de relay addresses list for the organization.

How to reproduce:

• Add an internal host ip (10.x.x.x.) to 'Outbound relay settings' under 'Organizations'
• Send an e-mail using baruwa as the smarthost. The sender domain must have an SPF record that does not contain the internal (10.x.x.x) host and 'reputation protection' must be enabled.
• The outbound message will get an 'SPF_FAIL' spam hit (which is 4 points on our systems).

The workaround in our case is to add the internal host IP to the public SPF record, but that should not be necessary and is a security issue.

[akissa]

I do not see a way around this, the only recommendation i can think about is to setup split DNS for the domains in question and add the internal addresses to the internal zone.

[rmoesbergen]

I'm guessing the SPF_FAIL hit is produced by spamassasin? Isn't there a whitelist option in spamassassin to tell it that the ip's on the relay list are 'trusted', and therefore don't have to go though spf checks?

[akissa]

https://spamassassin.apache.org/full/3.4.x/doc/Mail_SpamAssassin_Plugin_SPF.html

[rmoesbergen]

Guess not... We actually do have a split dns setup (internal vs external), so we could perform the workaround you suggested. Might be good to document this to prevent the same question from others.