Date: Sat, 13 Dec 2025 10:31:48 +0000 From: Frank Leonhardt <freebsd-doc@fjl.co.uk> To: questions@freebsd.org Subject: Re: SPF logic Message-ID: <2e064b2b-faec-4048-a855-86005e3ed826@fjl.co.uk> In-Reply-To: <526f895b-ee44-478b-89c6-c102a6a5131d@paz.bz> References: <526f895b-ee44-478b-89c6-c102a6a5131d@paz.bz>
next in thread | previous in thread | raw e-mail | index | archive | help
On 08/12/2025 23:01, Jim Pazarena wrote: > oh my goodness. I posted to the wrong newsgroup. > I am so sorry for this wasted space! > > > On 2025-12-08 2:19 PM, Doug Hardie wrote: >>> On Dec 8, 2025, at 13:59, Jim Pazarena <fquest@paz.bz> wrote: >>> >>> I set up SPF for my domains, which has been in place for quite a while. >>> >>> I recently set up incoming SSL/TLS + authentication for customers' >>> emails. >>> >>> I am finding now that remotely connected customers (such as those >>> away on holidays) are being denied by the SPF rules because they are >>> no longer on a local subnet, and now filtering in to the SPF rules. >>> >>> I am wondering what logic I need to put in place to let them bypass >>> the SPF if they come in by local SSL authentication ? I can't quite >>> reason it out. Thanks for any suggestions/advice. >> >> >> The solution to this will be dependent on the MTA you are using. You >> should probably ask on the maillist for that MTA. >> >> -- Doug >> > As far as I know, questions@freebsd.org is a list you can ask any question on when you're using FreeBSD (within reason) and someone might redirect you to a better list if appropriate. However, top posting won't be forgiven !!! :-) I can't answer your question as you haven't said what configuration you're using, but assuming it's FreeBSD base (sendmail) + dovecot (the stock IMAP server really isn't the way to go) then you should be using a submission port. You're using saslauthd to authenticate users, right? Configure sendmail to skip filtering on the submission port with authenticated users. You may have something like this: define(`confINPUT_MAIL_FILTERS', `spamassassin') INPUT_MAIL_FILTER(`spamassassin', `S=local:/var/run/spamass-milter.sock, F=T,T=C:5m;S:4m;R:3m;E:9m') DAEMON_OPTIONS(`Port=smtp, Name=MTA, Address=1.2.3.4') DAEMON_OPTIONS(`Port=submission, Name=MSA2, M=a, Address=1.2.3.4, InputMailFilters=') The first two lines declare spamassassin as a filter, which will apply to all ports. The third configures port 25 (smtp), which will have the filters applied. The fourth configures port 587 but, but leaves off the default filters. This is the trick! As Doug pointed out, you might want to try a specific mailing list for the mailer you're using. Regards, Frank.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?2e064b2b-faec-4048-a855-86005e3ed826>