spf-discuss
[Top] [All Lists]

RE: .forward issues

2003-10-21 11:08:47
Roy Badami wrote:
So, all three systems are RFC-compliant, and yet the mail bounces.
This is untenable, IMHO.  User A really will send a mail to user C, it
really will bounce, and each of the three ISP's will blaim the others.
And all three ISP's really will be complying with the RFCs.  And
situations like this will give SPF a bad rep.

I believe the correct way to address this is that receiving systems
which apply SPF checks need to take responsibility for accepting mail
from (non-SRS) accounts that forward to them.

I liked someone's previous suggestion that the forwarding mail server
should change the envelope address and NOT the from address.  The way I
see it, if a mail server is going to provide forwarding services, it
should be responsible for two SEPARATE things:

1. Determining the authorization of the host sending the message to send
for the original envelope address.

2. Getting the forwarded message to the destination.

Responsibility #1 is taken care of by SPF.  Responsibility #2 however is
impeded by SPF, unless the forwarding mail server re-writes the envelope
or uses a scheme like SRS.

Because the forwarding mail server is taking on the responsibility of
forwarding the message, mailer-daemon(_at_)forwardingserver really should be
the new envelope address, while the from: address stays the same.  The
final destination will accept the forwarded message via an SPF check
because the envelope matches the sending host (the forwarding server).
If the mail bounces, it will return to mailer-daemon(_at_)forwardingserver
which should then recognize that it forwarded the original message
(perhaps by looking at the from: line, a header line that it added when
forwarding, etc. and perhaps cross referencing it's logs) and then
forwarding the bounce to the original sender.

Logically that makes sense to me, seems a lot less kludgey than SRS, and
may require less code change to existing MTA's than implementing SRS
will.  The host actually connecting and sending the message should be
declared via SPF for the envelope address, and that entity should be
responsible for handling bounces, even if it needs to forward the
bounce.

---
Dustin D. Trammell
Vulnerability Remediation Alchemist
Citadel Security Software, Inc.

-------
Sender Permitted From: http://spf.pobox.com/
Archives at http://archives.listbox.com/spf-discuss/current/
Latest draft at http://spf.pobox.com/draft-mengwong-spf-02.txt
To unsubscribe, change your address, or temporarily deactivate your 
subscription, 
please go to 
http://v2.listbox.com/member/?listname(_at_)½§Åv¼ð¦¾Øß´ëù1Ií-»Fqx(_dot_)com


<Prev in Thread] Current Thread [Next in Thread>