Alessandro Vesely wrote, On 6/25/09 7:37 AM:
For example, assume someone trusts Gmail's egress filtering
I'll play along. It is certainly possible that for some recipients, the
stream of mail from Google's sewer is cleaner than what I see...
and wants to
skip content filtering for mail coming from there. What work is required
to accomplish (and maintain) that task, on typical MTA software?
I'm going to assume you don't mind an answer based on a common add-on to
common MTA software: SpamAssassin hooked into Sendmail or Postfix via one of
the multiple 'milter' packages that will do that. SA can be hooked into
other MTA's as well and is a component in some commercially packaged
spam-filtering appliances, so I think it is reasonable to consider it
"typical" even it is technically is not an integral part of any MTA.
This is a situation where SPF is a useful tool. If I want to make sure that
SpamAssassin never deems mail from a *(_at_)gmail(_dot_)com address to be spam as long
as it gets an affirmative SPF match (i.e. is coming from what Google says
are its normal gmail.com outbounds) I would just add this to my local
SpamAssassin config:
whitelist_from_spf *(_at_)gmail(_dot_)com
SPF can handle well the problem of whitelisting the normal outbound paths
for a complex mail system that isn't persistently congruent with a set of
hosts whose FQDN's share a domain tail or a small number of networks with
clean octet boundaries (e.g. a small number of /24 ranges). Most major MTA's
can directly define trusted networks based on octet or CIDR notation and
trusted domains based on verified client hostnames patterns, so in many
cases of simpler sending systems whitelisting does not require SpamAssassin
or other SPF-based mechanisms. For complex senders who have complex and
dynamic outbound environments, refuse to publish SPF records, but do use
DKIM (e.g. Yahoo) there is probably some way to use DKIM as the
authentication that a message is coming from a system that you trust. I
can't say how easy or hard that would be, since I've never seen enough
marginal value in DKIM to bother with it.
_______________________________________________
Asrg mailing list
Asrg(_at_)irtf(_dot_)org
http://www.irtf.org/mailman/listinfo/asrg