[conspire] spf and relay
Ron
admin at bclug.ca
Fri Mar 14 15:22:56 PDT 2025
Ivan Sergio Borgonovo wrote on 2025-03-14 15:00:
> To summarize... just the "last mile" is checked.
> If the server delivering at the boundary of the recipient match the spf
> record that's fine and enough.
>
> Did I get it right?
That's my understanding.
You'd mentioned things were working well prior to having a static IP, so
I expect there was no SPF pointing at your ever-changing home IP.
Which got me thinking, SPF is probably *not* required due to a stanza on
their Postfix similar to this:
smtpd_recipient_restrictions =
## Accept valid logins:
permit_sasl_authenticated
## Accept networks I trust:
permit_mynetworks
## We're only accepting for $mydestination, $virtual_alias_domains,
## $virtual_mailbox_domains, $proxy_interfaces,
## and $inet_interfaces:
## https://www.postfix.org/postconf.5.html#reject_unauth_destination
reject_unauth_destination
## greylist -- config to work with chroot'd postfix:
check_policy_service unix:postgrey.sock
##
## Check incoming mail servers' SPF records:
## https://www.linuxbabe.com/mail-server/setting-up-dkim-and-spf
#
check_policy_service unix:private/policyd-spf
What's happening above is:
Q) Is user authenticated? If so, accept the message
...
Q) Is user connecting from a host with valid SPF record? If so, accept
I suspect the SASL is good enough and precludes SPF checking.
More information about the conspire
mailing list