Kenn Humborg wrote:
If you have multiple backups at different priorities, you'll need
to tell each mailserver to trust all the other servers with lower
priorities. Which is a pain, especially if they are administered
by different people.
Also, these servers should only trust each other for mail destined
for your domain, since the set of MX servers depends on the recipient
domain, not the sender domain. Each recipient of message could have
a different set of MX servers, in different priority order.
Exactly. To fix this, I produced a patch for Mail::SPF::Query. Meng
argues that this should not be part of Mail::SPF::Query, and that is a
valid viewpoint (albeit one that I disagree with ;-) )
The alternative to putting the logic into Mail::SPF::Query is to put it
into Mail::SPFMX::Query which then wraps Mail::SPF::Query. This seems
like a worse solution.
The fact is that MTA implementors need to be cognizant of the MX
problem, and need to either fix it, or provide some way for the
administrator to fix it. For reasons that I have expressed earlier, I
beleive (strongly) that if you rely on administrators to configure some
stuff correctly, some percentage will get it wrong. If the MTA
implementator can get it right, then that is a better route to take.
Of course, this doesn't deal with implementations that are not based on
Mail::SPF::Query!
[BTW, I used a fairly simple algorithm:
For each recipient:
If the message is known to be forged, then reject this recipient
else If the message is from a secondary MX for this recipient, then
allow
else If the message fails the SPF check, then reject this recipient
and mark the message forged
else Allow this recipient
At the end, if the message is forged, reject the whole message.
A secondary MX is a system which is listed as an MX for a domain, and is
not the highest priority MX. Note that in many (most?) cases, there is
only zero or one MX record, and so there are no secondary MX hosts.
Hence this check is pretty cheap.
If you are doing the SPF checks not in real time, then the algorithm can
be somewhat simpler, but have the same effect.
]
Philip
-------
Sender Permitted From: http://spf.pobox.com/
Archives at http://archives.listbox.com/spf-discuss/current/
Latest draft at http://spf.pobox.com/draft-mengwong-spf-02.9.4.txt
To unsubscribe, change your address, or temporarily deactivate your subscription,
please go to http://v2.listbox.com/member/?listname(_at_)©#�«Mo\¯HÝÜîU;±¤Ö¤Íµø�?¡