ietf-asrg
[Top] [All Lists]

RE: [Asrg] Re: This is a request for feedback from experts/regularsto help reduce spam backscatter from Sieve implementations

2006-12-01 17:53:27
-----Original Message-----
From: David Nicol [mailto:davidnicol(_at_)gmail(_dot_)com] 
Sent: vrijdag 1 december 2006 22:24
Cc: asrg(_at_)ietf(_dot_)org
Subject: Re: [Asrg] Re: This is a request for feedback from 
experts/regularsto help reduce spam backscatter from Sieve 
implementations


On 11/30/06, Frank Ellermann <nobody(_at_)xyzzy(_dot_)claranet(_dot_)de> 
wrote:

It's no illusion, it's the definition, and senders know
that it can't work reliably (if at all) if SPF is checked
behind the border-MX.

As I understand it:

receivers that do SPF checks past the border are broken.

Yes. Which is to say, receivers who do SPF checks on the envelope-from /
HELO, using the connecting IP address of anything that does not belong
to the client at the border MTA, are broken.

Repair options include (1) special-casing border machines
(2) doing SRS forwarding from the border instead of
plain forwarding.

SRS really is meant more for "outgoing" connections (into the real world).
It seems kinda silly, IMHO, to do SRS rewriting towards any of the
machines in your network past the border. Those machines should simply not
be doing SPF-checks. Or, if they do, like, say, a machine with
SpamAssassin on it, with Mail::SpamAssassin::Plugin::SPF running, they can
use the info of the connecting client (from the border) in the
Received headers added by their own, trusted network.

Otherwise, doing SRS towards your own network just means you're getting a
continual "pass" for nothing else but the domain of your own border MTA.
At which point, hopefully, the futility of doing so kicks in. :)

- Mark


_______________________________________________
Asrg mailing list
Asrg(_at_)ietf(_dot_)org
https://www1.ietf.org/mailman/listinfo/asrg