Author: Sebastian Arcus Date: To: exim-users Subject: Re: [exim] Proxy smtp connections to multiple Exim servers behind
proxy
c
On 17/04/2023 04:33, Ian Z via Exim-users wrote: > On Sun, Apr 16, 2023 at 07:11:51PM +0100, Sebastian Arcus via Exim-users wrote:
>
>> One thing I have to try and figure out is how Spamassassin does the
>> SPF checks. Does it look at all the Received: headers, and if at
>> least one of them matches one of the SPF records, then it's all
>> fine? Because if that's how it works, SA checks should pass even if
>> done on the back-end Exim server.
>
> I don't think it would work by default. SA has a concept of "trusted"
> Received headers (because, of course, in general spammers can and do
> forge headers) and by default only the first is trusted, ie. the one
> added by the MTA that ultimately called SA. I think there is a way to
> tweak the trusted setting, but
Thank you very much for that. It would make sense - all Received:
headers before the latest one in the chain could be added by spammers
manually.
I looked it up and it seems that Exim can be told not to add a Received:
header when handling email - by configuring in the corresponding transport:
received_header_text = ""
I'm not entirely happy with the idea of interfering with the record of
message flow - but I guess it remains an option. I might just add a
custom header instead, so that I will know the message has been through
the front-end machine - for diagnostic purposes.
>
> - configuration of SA is complex (though not as much as exim, lol)
> - I don't know if that would actually change the SPF result.
I couldn't agree more. I am permanently scarred emotionally from
installing and configuring SpamAssassin for the first time - and even
after years of working with it I don't feel like I've managed to tame it :-)
