Hi Dan
That's most definitly they only true way... but under certain
cicumstances you might have SPF not during the SMTP Session... say in
SpamAssassin or some other dedeicated machine which you have to run all
that tests and a mere "mail catcher" in front of it - be it for short
latency of inbound mails or just that you have a TLS enabled system
which has problems doing proxy-smtp for amavis or what ever else forces
you to do SPF on the not first incoming point of outer contact (be it
that the mail got relayed from your secondary MX which might not be SPF
aware).
To make it short, if you have one system in your network that is not SPF
aware but forwards mail to other systems in you network, then you will
expirience the pain of trying to deliver an NDR to a user that does
either not exist or was forged from an "unauthorized" system - in the
end you might blame someone for sending a mail from a unauthorized
system which he/she never did.
It's the old debate: Should I send a notification if my AV Scanner on
the Mailsystem detects a virus.... HELL NO!... I have a Unix system and
got severel dozen of AV Reports claiming that I sent I virus, during the
last bigger virus-wave... I hate that... that makes me to block
mailservers...
So what's the point: yes, do REJECTs, but make sure that all systems are
SPF aware and have the same Mailpolicy, and don't let non-SPF aware
machines forward mails to you.
my 2c
Philipp
On Mon, Dec 01, 2003 at 15:36:36 +0000, Dan Boresjo wrote:
On Monday 01 December 2003 6:57 am, Mark wrote:
What remains, is the the irony that the one situation where a bounce is
always arriving at the wrong address, is when that notification is in
response to the determination that the return-address is a forgery. :)
You could just return a 5xx code in response to the "MAIL FROM" command.
Most MTA's seem to mangle meaningful multiline responses so it is difficult to
provide a response that will be explanatory to ordinary users, but at least
this way you know the bounce goes back to the actual sender.
- Dan
-------
Sender Permitted From: http://spf.pobox.com/
Archives at http://archives.listbox.com/spf-discuss/current/
Latest draft at http://spf.pobox.com/draft-mengwong-spf-02.9.txt
To unsubscribe, change your address, or temporarily deactivate your
subscription,
please go to
http://v2.listbox.com/member/?listname(_at_)©#�«Mo\¯HÝÜîU;±¤Ö¤Íµø�?¡
-------
Sender Permitted From: http://spf.pobox.com/
Archives at http://archives.listbox.com/spf-discuss/current/
Latest draft at http://spf.pobox.com/draft-mengwong-spf-02.9.txt
To unsubscribe, change your address, or temporarily deactivate your
subscription,
please go to
http://v2.listbox.com/member/?listname(_at_)©#�«Mo\¯HÝÜîU;±¤Ö¤Íµø�?¡