I’ve been working on a mail forwarding system which required me to implement SRS to allow people who use SPF to be customers of the service (as I use SPF on my domain it’s fairly important to me). Reading the web pages before actually trying to implement it things seemed quite easy. All over the web you will see instructions to just set up an /etc/aliases file that pipes mail through the srs utility.
The problem is that none of the srs utility programs actually support piped mail. It seems that the early design idea was to support piped mail but no-one actually implemented it that way. So you can call the srs utility to discover what the munged (cryptographically secure hash signed) originator of the email should be but you have to do the actual email via something else.
This wasn’t so much of a problem for me as I use my own custom maildrop agent to forward the mail instead of using /etc/aliases (Postfix doesn’t support what I want to do with /etc/aliases – dynamically changing the email routing as you receive it isn’t something that Postfix handles internally).
However I still have one problem. Sometimes I get two or three copies of the SPF header from Postfix when it checks them.
In my main.cf file I have a smtpd_recipient_restrictions configuration directive that contains check_policy_service unix:private/spfpolicy and the Postfix master.cf file has the following:
spfpolicy unix - n n - - spawn user=USER argv=/PATH/spf-policy.pl
Does anyone have any ideas why I would get multiple SPF checks and therefore multiple email header lines such as:
Received-SPF: none (smtp.sws.net.au: domain of SRS0=MUyCQ6=COfirstname.lastname@example.org does not designate permitted sender hosts) Received-SPF: none (smtp.sws.net.au: domain of SRS0=MUyCQ6=COemail@example.com does not designate permitted sender hosts) [some other headers] Received-SPF: pass (inumbers: domain of firstname.lastname@example.org designates 184.108.40.206 as permitted sender) Received-SPF: pass (inumbers: domain of email@example.com designates 220.127.116.11 as permitted sender) Received-SPF: pass (inumbers: domain of firstname.lastname@example.org designates 18.104.22.168 as permitted sender)
The email went through one mail router and then hit the destination machine, but somehow got 5 SPF checks along the way. Also the pair of identical checks had no lined between them and the set of three identical checks also had no lines between them. So multiple checks were performed without any forwarding. It seems that a single port 25 connection is giving two or three checks. Both machines run Postfix with SPF checking that is essentially idential (apart from being slightly different versions, Debian/unstable and RHEL4).
Any advice on how to fix this would be appreciated.