Confusing issue regarding SPF_FAIL and local delivery

I have an extremely confusing SPF_FAIL issue that I have been looking up for around 3 hours now trying to figure out. My current setup is a single server that does everything mail related all from the same box. SMTP, POP, IMAP, MX, SpamAssassin, ClamAV, everything mail-related is all done on the same box and same IP.

The SMTP server, Exim, uses SMTP-AUTH for authorizing external users to send mail. When an external user sends an email to the same domain on the box, for example bob@domain.com sends an email to dave@domain.com, the email is obviously destined for local delivery and gets delivered fine. The issue is that for some reason SpamAssassin does an SPF lookup when the mail is delivered and decides that the SPF record fails. For some reason it is using the IP address of the external user to check against the domain's SPF record, and it gets marked as spam because of this.

The weird thing is, if I send an email to myself, spf_fail doesn't get triggered. Or, if I make a separate email account on the server, for example blah@eggycrew.com and send an email to dave@eggycrew.com, it also doesn't trigger spf_fail. The only difference between my machine and the other persons machine is that I am using an ssl-secure connection (also ran on the same box with the same IP) to send the mail.

What causes this? Why is it doing that?

SpamAssassin's trusted_network configuration caught my eye. What exactly does this do, and should I put my box's ip address in there? Would that fix the problem? I read the man page entry on trust_network and it *seems* like it might fix this issue but I just want to double check.

Lots of confusion over this issue, and I just flat don't understand it.

I do appreciate any and all help!

Thanks!

> SpamAssassin's trusted_network configuration caught my
> eye. What exactly does this do, and should I put my box's
> ip address in there?

Absolutely. You put all your internal servers and possible ISP servers there too. Trusted networks are networks and hosts that you trust are not generating spam. They may deliver spam to you, but not generate it. And mostly, they will not tamper with email headers, that's what the trust is about.

On Sun, 23 Sep 2007, Jari Fredriksson wrote:

> > SpamAssassin's trusted_network configuration caught my
> > eye. What exactly does this do, and should I put my box's
> > ip address in there?
>
> Absolutely. You put all your internal servers and possible ISP
> servers there too. Trusted networks are networks and hosts that
> you trust are not generating spam.

Incorrect! "trust" means the Received: headers they generate are
trusted to be accurate (i.e. not forged), **not** that those hosts are
not originating spam!

--
 John Hardin KA7OHZ                    http://www.impsec.org/~jhardin/
 jhardin@...    FALaholic #11174     pgpk -a jhardin@...
 key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C  AF76 D822 E6E6 B873 2E79
-----------------------------------------------------------------------
  ...in the 2nd amendment the right to arms clause means you have
  the right to choose how many arms you want, and the militia clause
  means that Congress can punish you if the answer is "none."
                                -- David Hardy, 2nd Amendment scholar
-----------------------------------------------------------------------
 245 days until the Mars Phoenix lander arrives at Mars

On Sunday 23 September 2007 18:50, John D. Hardin wrote: No, Jari is correct. He also wrote "And mostly, they will not tamper with
email headers, that's what the trust is about.", but you left that out. And
hosts in trusted_networks *are* (mildly) trusted not to originate spam.
That's what ALL_TRUSTED is about.

--
Magnus Holmgren        holmgren@...
                       (No Cc of list mail needed, thanks)

On Sun, 23 Sep 2007, Magnus Holmgren wrote:

That's fair. I focused too quickly on the "not generate spam" part.

Apologies.

--
 John Hardin KA7OHZ                    http://www.impsec.org/~jhardin/
 jhardin@...    FALaholic #11174     pgpk -a jhardin@...
 key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C  AF76 D822 E6E6 B873 2E79
-----------------------------------------------------------------------
  USMC Rules of Gunfighting #7: In ten years nobody will remember the
  details of caliber, stance, or tactics. They will only remember who
  lived.
-----------------------------------------------------------------------
 244 days until the Mars Phoenix lander arrives at Mars