SPF evaluation tweaks?

Questions and answers about how to do stuff
Post Reply
User avatar
Posts: 27
Joined: 24 Dec 2012 08:29
Location: Sydney, AU

SPF evaluation tweaks?

Post by DavidRa » 22 Jan 2013 02:42

I think I need to change the way SPF is evaluated on my EFA appliance. Here's the scenario:
  • Environment has a primary mail delivery location which is EFA - let's call that mail1.contoso.com.
  • I also have a secondary mail delivery location which is a FreeBSD host on a different ISP - let's call that mail2.contoso.com
  • Users receive email from a sender whose domain is "secured" by SPF (with a hardfail for IPs not in the SPF record)
  • The email is directed to the secondary MX because the primary MX was unavailable (e.g. reboot, link failure, overload, routing issues etc).
When EFA receives the email via the backup MX, it refuses the email because the backup MX is not authorised to send for the originating domain (IP changed to protect my poor secondary):
http://www.openspf.org/Why?s=mfrom;id=u ... ontoso.com

Suggestions welcome - whether that be:
  • A way to configure semi-trusted MXs (ignore SPF for this connecting server, but process all other rules e.g. SA, Clam)
  • A way for the secondary MX to tag the email as "Via trusted secondary" - never seen this in my years of doing mail servers, but you never know!
  • A way to configure the SPF check to evaluate other headers - i.e. IF from secondary-mx, check previous header for SPF compliance
  • Something else
Note that I do want to keep the rest of the EFA appliance in line - the FBSD isn't quite as good at anti-spam so it cannot be fully trusted.

Post Reply