pthomsen at reedtz
Jul 27, 2004, 9:55 PM
Post #3 of 3
On 7/27/04 1:55 PM, Koen Martens wrote:
>This is a faq, but not one easily answered. Search the archives for
>something like 'whitelist' or 'local policy', you will find the answer
>(it was asked just one or two weeks ago iirc). It all depends on your
>implementation, but the proper solution is i think to whitelist your
>other mta's on your outbound relay, such that your outbound relay will
>PASS mail from those servers.
>I believe in the sendmail milter there is an option for a file named
>'whitelist' in some predetermined directory, although i myself use the
>local policy option :
>/usr/bin/perl /usr/local/libexec/sendmail-milter-spf-1.40.pl -l
>'include:trusted-forwarders' spf mx
>where trusted-forwarders is a dns entry with an spf record that defines
>my internal smtp servers.
>Sorry I can't be more specific, it's a bit late in my current space-time
I figured it out, for those of us that use spfmilter (not the perl stuff).
The spfmilter executable has an option '--localpolicy' (or '-l' for
short) which lets you apply a policy to local transactions (like when my
MUA is contacting my outbound relay). The value of the '--localpolicy'
option is simply another SPF record. I used "v=spf1 ip4:aa.bb.cc.dd/28
-all", and my outbound mail now passes.
On Linux (I installed the RPM) the file /etc/sysconfig/spfmilter holds
the options that you need to tweak. Mine looks like this now:
SPFMILTER_OPTIONS="--localpolicy \"v=spf1 ip4:aa.bb.cc.dd/28 -all\"
Note the '\' in front of the double quotes.
Hope this helps others.
>On Tue, Jul 27, 2004 at 11:11:50AM -0700, Per Thomsen wrote:
>>I just set up SPF, and this may be a FAQ, but I searched the archive,
>>and didn't find any info about this issue, so here goes:
>>I run my own mail server (sendmail), and have set up SPF for it:
>>reedtz.com. IN TXT "v=spf1 ip4:18.104.22.168 -all"
>>All MUAs/webmail on my network connect to smtp.reedtz.com
>>(22.214.171.124) and all mail goes out that way.
>>However, when using spfmilter, I get a 'fail' status when I send myself
>>a test message. The problem appears to be that spfmilter sees the
>>Received: line containing my SMTP connection from my MUA (126.96.36.199)
>>to my outbound relay (188.8.131.52) as the 'client IP' (or originating
>>What should I do? I'd really rather not have to maintain SPF records for
>>all MUAs. Or is this simply how it works?
>>I could of course put my entire /28 in the SPF record, but I'd really
>>like to find out how to designate my outbound server as the only allowed
>>server, without getting rejected.
>>Any help is appreciated.
>>Per Reedtz Thomsen | The Reedtz Corporation | F: 209 883 4119
>>V: 209 883 4102 | pthomsen [at] reedtz | C: 415 425 4025
>>GPG ID: 1209784F | Yahoo! Chat: pthomsen | AIM: pthomsen
>>Archives at http://archives.listbox.com/spf-help/current/
>>To unsubscribe, change your address, or temporarily deactivate your
>>subscription, please go to
>>http://v2.listbox.com/member/?listname=spf-help [at] v2
Per Reedtz Thomsen | The Reedtz Corporation | F: 209 883 4119
V: 209 883 4102 | pthomsen [at] reedtz | C: 415 425 4025
GPG ID: 1209784F | Yahoo! Chat: pthomsen | AIM: pthomsen
Archives at http://archives.listbox.com/spf-help/current/
To unsubscribe, change your address, or temporarily deactivate your subscription,
please go to http://v2.listbox.com/member/?listname=spf-help [at] v2