On 24/Oct/11 02:19, Paul Smith wrote:
On 23/10/2011 22:43, Steve Atkins wrote:
A third, which is a lot more common and complex to resolve than
you'd expect, is organizations simply not knowing or not
controlling where their mail is sent from.
Forcing users to submit via official domain servers is one of the
points SPF is good at.
There've been cases both for SPF and ADSP ("SPF for DKIM") where
one group within a company put out a restrictive policy based on
their beliefs of where mail was sent from, and it all fell to
pieces when employees got kicked off mailing lists when mail
appearing to come from them was delivered from the mailing list
manager and rejected due to auth failure, or where internal
monitoring email sent from servers (cron, even) was silently
discarded.
This is the problem of people who should know better not
understanding what's going on.
Yes, if I've understood the OP's complaint correctly, someone should
have removed an SPF check altogether rather than leaving it in a
check-but-don't-enforce hybrid status.
If the company had a policy that all mail from their domain had to
go through certain servers, and employees were sending mail through
other servers, then they deserved to get kicked off mailing
lists... Just as they would deserve punishment for watching porn
over the work Internet connection, etc.
For the record, you get kicked off a mailing list when you reject
mailing list messages. This can happen when you enforce ADSP and thus
reject messages with broken author domain's signatures. That is, the
duly compliant receiver gets punished in that case.
ADSP is more broken than SPF, with respect to forwarding. SPF always
claimed to be valid for first hops only, and predicated to change the
envelope sender for further hops. DKIM initially seemed to overcome
that limitation, but RFC 6377 finally clarified it cannot cope with
forwarding either (and nobody wants to change the value of From:).
The problem is that for years email was virtually unregulated (open
relays were commonplace 15 years ago) which is why it is now so widely
abused. The only chance of cutting back abuse is to tighten things up.
Saying that attempts to tighten it up are "fatally flawed" just
because people can't be bothered to do things properly is dooming the
whole system to failure.
Very much agreed.
With two policies out of two that choke on forwarding, I'd suspect the
culprit is the latter. Indeed, forwarding implies that target
addresses are being kept on a server. Hence, such server must have
some sort of authorization for using them. Why don't we check that?
http://fixforwarding.org/
_______________________________________________
Asrg mailing list
Asrg(_at_)irtf(_dot_)org
http://www.irtf.org/mailman/listinfo/asrg