spf-discuss
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: sendmail-milter-spf-1.1.pl script and secondary MX

2004-01-09 17:20:20
from [Mark] [Permanent Link] 
----- Original Message -----
From: "Alain Knaff" <alain(_at_)knaff(_dot_)lu>
To: <spf-discuss(_at_)v2(_dot_)listbox(_dot_)com>
Cc: <admin(_at_)asarian-host(_dot_)net>
Sent: Friday, January 09, 2004 3:50 PM
Subject: sendmail-milter-spf-1.1.pl script and secondary MX


Example:

peter(_at_)aol(_dot_)com attempts to send a mail to me(_at_)mydomain(_dot_)com

1. as mx1.mydomain.com is busy, the mail goes to the secondary mx
(mx2.mydomain.com).
2. The mail is accepted by mx2.mydomain.com because it does really
come from one of AOL's approved IPs
3. Eventually, mx2.mydomain.com wants to forward it to
mx1.mydomain.com, because that's the machine where the user mailboxes
are physically located.
4. However, mx1 refuses the mail, because mx2.mydomain.com is not
listed

And no, putting an OK for mx2.mydomain.com into /etc/mail/access
doesn't help, apparently the milter's rejection takes precedence.


It seems there are two lines of thought: either implement MX checks at MTA
level, or make it part of Mail::SPF::Query.

Since asymmetry between mail exchangers is generally a bad idea, I think we
should work from the assumption, that when we receive mail from a secondary
MX, that this secondary MX has already done SPF checks, and added the
appropriate header, reflecting the result of that check.

So that when we receive a forward from our secondary MX, Mail::SPF::Query
should probably be skipped altogether even. And this because of the
aforementioned symmetry: the topmost Received-SPF header should reflect the
result of the SPF-check against the IP address of the connecting client, as
received by either MX 1 or MX 2. Treating a secondary MX as another relay, I
dunno, it does not feel right to me.

YMMV, of course. :)

- Mark

        System Administrator Asarian-host.org

---
"If you were supposed to understand it,
we wouldn't call it code." - FedEx

-------
Sender Permitted From: http://spf.pobox.com/
Archives at http://archives.listbox.com/spf-discuss/current/
Latest draft at http://spf.pobox.com/draft-mengwong-spf-02.9.4.txt
To unsubscribe, change your address, or temporarily deactivate your 
subscription, 
please go to 
http://v2.listbox.com/member/?listname(_at_)©#«Mo\¯HÝÜîU;±€Ö€Íµø?¡
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: major forwarders in trusted-forwarder.org, wayne
Next by Date:  Re: Re: sendmail-milter-spf-1.1.pl script and secondary MX, Meng Weng Wong
Previous by Thread:  RE: sendmail-milter-spf-1.1.pl script and secondary MX, Julian Mehnle
Next by Thread:  Re: Re: sendmail-milter-spf-1.1.pl script and secondary MX, Meng Weng Wong
Indexes:  [Date] [Thread] [Top] [All Lists]