SPF checking when some mail is coming through proxy

[Frater]

I am running Plesk on a system with 4 IP's
On 2 IP's the smtp-server listens directly on the other one it listens to an SMTP-proxy (ASSP)

This ASSP-proxy is doing a lot of anti-spam, among it SPF-protection...

I just finished a debugging session and found out that the SMTP-server is rejecting mail from clients using SPF with " -all" and going through the proxy.
This is because I also enabled SPF-protection on the SMTP-server using the Plesk webif.
Mails aren't coming from the original IP, but from itself (the proxy is running on that same server), so they fail the test.
I always assumed this was overruled by 'my_networks', but it isn't.

I now turned SPF off on Plesk

I would like to turn it on, because the other 2 IP's are not protected by this ASSP.
I think I can do this with local rules, but there's not a lot of explanation about what I can put there...
Only mail coming from the local IP's should not be checked.....

 

[Frater]

I would like to know what happens if I add something in local policies....

Which syntax to use and where will it be applied....

A local policy could be:

- a policy that's used if the other party doesn't have an SPF-record
- a policy that's used instead of the domain's SPF-record
- a policy that's added to the current policies....

Syntax could be:

- a full SPF-record
- only some items

 

[Frater]

I still think it's a bug that SPF-checking is done on mail that is coming from "mynetworks".
Could you please tell me where I should look to get this fixed myself?

This milter should only be called if it isn't coming from a trusted source...

 

[Frater]

---------------------------------------------------------------
PRODUCT, VERSION, OPERATING SYSTEM, ARCHITECTURE
Plesk Panel 10.4.4 Update #11
CentOS Linux 2.6.18-274.7.1.el5xen
Postfix
xen VM


PROBLEM DESCRIPTION AND STEPS TO REPRODUCE

SPF checking is done on mail coming from its own network (mynetworks).
The mail is coming from its own IP's because a NON-transparent proxy is used in front of postfix for 2 of the 4 IP's

ACTUAL RESULT

Mail coming from domains that have a restrictive policy (-all) is being refused when it is coming from the proxy.

EXPECTED RESULT

Because mail is coming from its own network, it should NOT do any SPF-checking (nor any other sender checking).

ANY ADDITIONAL INFORMATION

If all IP's were protected by this proxy I would just turn off SPF. By only using 2 IP's instead of all 4 for this proxy I can easily put some users behind the proxy or not.
Now those domains that are not behind a proxy don't get SPF-checking on their incoming mail.
--------------------------------------------------------------

 

[IgorG]

Thank you. I have forwarded you request to developers from Plesk Service Team. I will update thread with results as soon as I receive them.

 

[IgorG]

BTW, did you try to add this IP in white list?

 

[IgorG]

From developers:

This can be achieved via SPF rules. I don't see what has to be done in Plesk here.

 

[Frater]

But how?

Nothing is explained there.
If I add an SPF-expression there, will it be added (like an include)?
If the sender has no SPF-record, will there be no checking (I hope so)?
Can a "-all" be used in that local expression and will the original SPF-record be respected?

Some examples how it is supposed to behave should have been included.

BTW. I do know how SPF works (how it should handle includes). It isn't made clear how it is implemented here. I'm using a proxy here, but it could as well be a local mail relay.