On Thu, Sep 09, 2004 at 10:37:51PM -0400, Meng Weng Wong wrote:
| I spent some time today implementing a Unified SPF postfix
| policy daemon. It follows the AGUPI model described at
| http://spf.pobox.com/aspen/email-future-1.png
|
| I have it currently set to reject, by default, all mail that
| doesn't pass both authentication and policy tests.
|
when I send mail from my personal box, newbabe.mengwong.com,
which is not whitelisted by any of the reputation services I
know,
20040909-23:05:07 mengwong(_at_)newbabe:~% echo test | testmx
-mx=dumbo.pobox.com -subject='where is this going'
-from=mengwong(_at_)newbabe(_dot_)mengwong(_dot_)com
-to=mengwong(_at_)spf(_dot_)pobox(_dot_)com -port=25 -helo=newbabe.mengwong.com
<<< 220 dumbo.pobox.com ESMTP Postfix
>>> EHLO newbabe.mengwong.com
<<< 250-dumbo.pobox.com
<<< 250-PIPELINING
<<< 250-SIZE 10240000
<<< 250-VRFY
<<< 250-ETRN
<<< 250 8BITMIME
>>> MAIL FROM:<mengwong(_at_)newbabe(_dot_)mengwong(_dot_)com>
<<< 250 Ok
>>> RCPT TO:<mengwong(_at_)spf(_dot_)pobox(_dot_)com>
<<< 554 <mengwong(_at_)newbabe(_dot_)mengwong(_dot_)com>: Sender address
rejected: Sorry, agupimail requires that your message be sent through an
authenticated channel, and that the sender be recognized by the receiving
system.
Internally, syslog shows:
: Attribute: client_address=209.2.32.36
: Attribute: client_name=newbabe.mengwong.com
: Attribute: extra_arg=
: Attribute: helo_name=newbabe.mengwong.com
: Attribute: instance=00513e.00414119f6.000000
: Attribute: protocol_name=ESMTP
: Attribute: protocol_state=RCPT
: Attribute: queue_id=
: Attribute: recipient=mengwong(_at_)spf(_dot_)pobox(_dot_)com
: Attribute: request=smtpd_access_policy
: Attribute: sender=mengwong(_at_)newbabe(_dot_)mengwong(_dot_)com
: Attribute: size=0
testing: stripped sender=mengwong(_at_)newbabe(_dot_)mengwong(_dot_)com,
stripped rcpt=mengwong(_at_)spf(_dot_)pobox(_dot_)com
karma_query(ptr:newbabe.mengwong.com): querying
newbabe.mengwong.com.rating.cloudmark.com...
karma_query(ptr:newbabe.mengwong.com): querying
newbabe.mengwong.com.wl.trusted-forwarder.org...
karma_query(ptr:newbabe.mengwong.com): querying
newbabe.mengwong.com.dnswl.mailzone.com...
karma_query(ptr:newbabe.mengwong.com): querying
newbabe.mengwong.com.bulk.rhs.mailpolice.com...
karma_query(ptr:newbabe.mengwong.com): querying
newbabe.mengwong.com.rhsbl.ahbl.org...
agupimail policy_status for ptr identity newbabe.mengwong.com returned
UNKNOWN: no result from the karma system.
agupimail now going to look for auth_status...
: : ptr_status: testing newbabe.mengwong.com
pass: spf/PTR smtp_comment=Please see
http://spf.pobox.com/why.html?sender=newbabe.mengwong.com&ip=209.2.32.36&receiver=dumbo.pobox.com:
newbabe.mengwong.com A 209.2.32.36, header_comment=dumbo.pobox.com: domain of
newbabe.mengwong.com designates 209.2.32.36 as permitted sender
agupimail auth_result for ptr identity newbabe.mengwong.com is PASS
karma_query(helo:newbabe.mengwong.com): querying
newbabe.mengwong.com.rating.cloudmark.com...
karma_query(helo:newbabe.mengwong.com): querying
newbabe.mengwong.com.wl.trusted-forwarder.org...
karma_query(helo:newbabe.mengwong.com): querying
newbabe.mengwong.com.dnswl.mailzone.com...
karma_query(helo:newbabe.mengwong.com): querying
newbabe.mengwong.com.bulk.rhs.mailpolice.com...
karma_query(helo:newbabe.mengwong.com): querying
newbabe.mengwong.com.rhsbl.ahbl.org...
agupimail policy_status for helo identity newbabe.mengwong.com returned
UNKNOWN: no result from the karma system.
agupimail now going to look for auth_status...
pass: spf/HELO smtp_comment=Please see
http://spf.pobox.com/why.html?sender=newbabe.mengwong.com&ip=209.2.32.36&receiver=dumbo.pobox.com:
newbabe.mengwong.com A 209.2.32.36, header_comment=dumbo.pobox.com: domain of
newbabe.mengwong.com designates 209.2.32.36 as permitted sender
agupimail auth_result for helo identity newbabe.mengwong.com is PASS
karma_query(sender:mengwong(_at_)newbabe(_dot_)mengwong(_dot_)com):
querying newbabe.mengwong.com.rating.cloudmark.com...
karma_query(sender:mengwong(_at_)newbabe(_dot_)mengwong(_dot_)com):
querying newbabe.mengwong.com.wl.trusted-forwarder.org...
karma_query(sender:mengwong(_at_)newbabe(_dot_)mengwong(_dot_)com):
querying newbabe.mengwong.com.dnswl.mailzone.com...
karma_query(sender:mengwong(_at_)newbabe(_dot_)mengwong(_dot_)com):
querying newbabe.mengwong.com.bulk.rhs.mailpolice.com...
karma_query(sender:mengwong(_at_)newbabe(_dot_)mengwong(_dot_)com):
querying newbabe.mengwong.com.rhsbl.ahbl.org...
agupimail policy_status for sender identity
mengwong(_at_)newbabe(_dot_)mengwong(_dot_)com returned UNKNOWN: no result from
the karma system.
agupimail now going to look for auth_status...
pass: spf/MAILFROM smtp_comment=Please see
http://spf.pobox.com/why.html?sender=mengwong%40newbabe.mengwong.com&ip=209.2.32.36&receiver=dumbo.pobox.com:
newbabe.mengwong.com A 209.2.32.36, header_comment=dumbo.pobox.com: domain of
mengwong(_at_)newbabe(_dot_)mengwong(_dot_)com designates 209.2.32.36 as
permitted sender
agupimail auth_result for sender identity
mengwong(_at_)newbabe(_dot_)mengwong(_dot_)com is PASS
agupimail overall: decided action=REJECT Sorry, agupimail requires that
your message be sent through an authenticated channel, and that the sender be
recognized by the receiving system.
postfix/smtpd[20798]: NOQUEUE: reject: RCPT from
newbabe.mengwong.com[209.2.32.36]: 554
<mengwong(_at_)newbabe(_dot_)mengwong(_dot_)com>: Sender address rejected:
Sorry, agupimail requires that your message be sent through an authenticated
channel, and that the sender be recognized by the receiving system.;
from=<mengwong(_at_)newbabe(_dot_)mengwong(_dot_)com>
to=<mengwong(_at_)spf(_dot_)pobox(_dot_)com> proto=ESMTP
helo=<newbabe.mengwong.com>
when i forge mail from a domain which appears in bulk.rhs.mailpolice.com,
<<< 220 dumbo.pobox.com ESMTP Postfix
>>> EHLO newbabe.mengwong.com
<<< 250-dumbo.pobox.com
<<< 250-PIPELINING
<<< 250-SIZE 10240000
<<< 250-VRFY
<<< 250-ETRN
<<< 250 8BITMIME
>>> MAIL FROM:<mengwong(_at_)mail(_dot_)optin-broadcast(_dot_)com>
<<< 250 Ok
>>> RCPT TO:<mengwong(_at_)spf(_dot_)pobox(_dot_)com>
<<< 554 <mengwong(_at_)mail(_dot_)optin-broadcast(_dot_)com>: Sender
address rejected: agupimail observed policy failure for sender:
mengwong(_at_)mail(_dot_)optin-broadcast(_dot_)com found in
bulk.rhs.mailpolice.com
The corresponding excerpt from syslog:
Attribute: client_address=209.2.32.36
Attribute: client_name=newbabe.mengwong.com
Attribute: extra_arg=
Attribute: helo_name=newbabe.mengwong.com
Attribute: instance=00513e.00414119e1.000000
Attribute: protocol_name=ESMTP
Attribute: protocol_state=RCPT
Attribute: queue_id=
Attribute: recipient=mengwong(_at_)spf(_dot_)pobox(_dot_)com
Attribute: request=smtpd_access_policy
Attribute: sender=mengwong(_at_)mail(_dot_)optin-broadcast(_dot_)com
Attribute: size=0
testing: stripped
sender=mengwong(_at_)mail(_dot_)optin-broadcast(_dot_)com, stripped
rcpt=mengwong(_at_)spf(_dot_)pobox(_dot_)com
karma_query(ptr:newbabe.mengwong.com): querying
newbabe.mengwong.com.rating.cloudmark.com...
karma_query(ptr:newbabe.mengwong.com): querying
newbabe.mengwong.com.wl.trusted-forwarder.org...
karma_query(ptr:newbabe.mengwong.com): querying
newbabe.mengwong.com.dnswl.mailzone.com...
karma_query(ptr:newbabe.mengwong.com): querying
newbabe.mengwong.com.bulk.rhs.mailpolice.com...
karma_query(ptr:newbabe.mengwong.com): querying
newbabe.mengwong.com.rhsbl.ahbl.org...
agupimail policy_status for ptr identity newbabe.mengwong.com returned
UNKNOWN: no result from the karma system.
agupimail now going to look for auth_status...
: ptr_status: testing newbabe.mengwong.com
pass: spf/PTR smtp_comment=Please see
http://spf.pobox.com/why.html?sender=newbabe.mengwong.com&ip=209.2.32.36&receiver=dumbo.pobox.com:
newbabe.mengwong.com A 209.2.32.36, header_comment=dumbo.pobox.com: domain of
newbabe.mengwong.com designates 209.2.32.36 as permitted sender
agupimail auth_result for ptr identity newbabe.mengwong.com is PASS
karma_query(helo:newbabe.mengwong.com): querying
newbabe.mengwong.com.rating.cloudmark.com...
karma_query(helo:newbabe.mengwong.com): querying
newbabe.mengwong.com.wl.trusted-forwarder.org...
karma_query(helo:newbabe.mengwong.com): querying
newbabe.mengwong.com.dnswl.mailzone.com...
karma_query(helo:newbabe.mengwong.com): querying
newbabe.mengwong.com.bulk.rhs.mailpolice.com...
karma_query(helo:newbabe.mengwong.com): querying
newbabe.mengwong.com.rhsbl.ahbl.org...
agupimail policy_status for helo identity newbabe.mengwong.com returned
UNKNOWN: no result from the karma system.
agupimail now going to look for auth_status...
pass: spf/HELO smtp_comment=Please see
http://spf.pobox.com/why.html?sender=newbabe.mengwong.com&ip=209.2.32.36&receiver=dumbo.pobox.com:
newbabe.mengwong.com A 209.2.32.36, header_comment=dumbo.pobox.com: domain of
newbabe.mengwong.com designates 209.2.32.36 as permitted sender
agupimail auth_result for helo identity newbabe.mengwong.com is PASS
karma_query(sender:mengwong(_at_)mail(_dot_)optin-broadcast(_dot_)com):
querying mail.optin-broadcast.com.rating.cloudmark.com...
karma_query(sender:mengwong(_at_)mail(_dot_)optin-broadcast(_dot_)com):
querying mail.optin-broadcast.com.wl.trusted-forwarder.org...
karma_query(sender:mengwong(_at_)mail(_dot_)optin-broadcast(_dot_)com):
querying mail.optin-broadcast.com.dnswl.mailzone.com...
karma_query(sender:mengwong(_at_)mail(_dot_)optin-broadcast(_dot_)com):
querying mail.optin-broadcast.com.bulk.rhs.mailpolice.com...
agupimail policy_status for sender identity
mengwong(_at_)mail(_dot_)optin-broadcast(_dot_)com returned FAIL:
mengwong(_at_)mail(_dot_)optin-broadcast(_dot_)com found in
bulk.rhs.mailpolice.com
agupimail now going to look for auth_status...
agupimail auth_result for sender identity
mengwong(_at_)mail(_dot_)optin-broadcast(_dot_)com is unchecked
agupimail overall: decided action=REJECT agupimail observed policy failure
for sender: mengwong(_at_)mail(_dot_)optin-broadcast(_dot_)com found in
bulk.rhs.mailpolice.com
postfix/smtpd[20798]: NOQUEUE: reject: RCPT from
newbabe.mengwong.com[209.2.32.36]: 554
<mengwong(_at_)mail(_dot_)optin-broadcast(_dot_)com>: Sender address rejected:
agupimail observed policy failure for sender:
mengwong(_at_)mail(_dot_)optin-broadcast(_dot_)com found in
bulk.rhs.mailpolice.com;
from=<mengwong(_at_)mail(_dot_)optin-broadcast(_dot_)com>
to=<mengwong(_at_)spf(_dot_)pobox(_dot_)com> proto=ESMTP
helo=<newbabe.mengwong.com>
A short list of RHSBLs can be found at
http://www.sdsc.edu/~jeff/spam/cbc.html