ietf-asrg
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: [Asrg] VPNs

2009-07-04 12:06:10
from [Bill Cole] [Permanent Link] 
Alessandro Vesely wrote, On 6/25/09 7:37 AM:

For example, assume someone trusts Gmail's egress filtering
I'll play along. It is certainly possible that for some recipients, the stream of mail from Google's sewer is cleaner than what I see... 


and wants to
skip content filtering for mail coming from there. What work is required
to accomplish (and maintain) that task, on typical MTA software?
I'm going to assume you don't mind an answer based on a common add-on to common MTA software: SpamAssassin hooked into Sendmail or Postfix via one of the multiple 'milter' packages that will do that. SA can be hooked into other MTA's as well and is a component in some commercially packaged spam-filtering appliances, so I think it is reasonable to consider it "typical" even it is technically is not an integral part of any MTA.
This is a situation where SPF is a useful tool. If I want to make sure that SpamAssassin never deems mail from a *(_at_)gmail(_dot_)com address to be spam as long as it gets an affirmative SPF match (i.e. is coming from what Google says are its normal gmail.com outbounds) I would just add this to my local SpamAssassin config: 

whitelist_from_spf *(_at_)gmail(_dot_)com
SPF can handle well the problem of whitelisting the normal outbound paths for a complex mail system that isn't persistently congruent with a set of hosts whose FQDN's share a domain tail or a small number of networks with clean octet boundaries (e.g. a small number of /24 ranges). Most major MTA's can directly define trusted networks based on octet or CIDR notation and trusted domains based on verified client hostnames patterns, so in many cases of simpler sending systems whitelisting does not require SpamAssassin or other SPF-based mechanisms. For complex senders who have complex and dynamic outbound environments, refuse to publish SPF records, but do use DKIM (e.g. Yahoo) there is probably some way to use DKIM as the authentication that a message is coming from a system that you trust. I can't say how easy or hard that would be, since I've never seen enough marginal value in DKIM to bother with it. 
_______________________________________________
Asrg mailing list
Asrg(_at_)irtf(_dot_)org
http://www.irtf.org/mailman/listinfo/asrg
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  [Asrg] Visual version of VHLO, Alessandro Vesely
Next by Date:  Re: [Asrg] What are the IPs that sends mail for a domain?, Peter Koch
Previous by Thread:  Re: [Asrg] VPNs, Bill Cole
Next by Thread:  Re: [Asrg] VPNs, Alessandro Vesely
Indexes:  [Date] [Thread] [Top] [All Lists]