Yes. After the DATA phase, the message can still be rejected (like an
anti-virus milter would do, for instance), but not DURING the data phase.
So, once you negotiated the start of the DATA phase, you will then have to
slurp in the entire message first, which is rather inefficient for SPF
checks.
Hmmmn. A thought, and admittedly it's likely a bad one.
If for some valid reason you were not able to determine
if a message should be blocked before data and needed to
examine the header a bit, and once you read enough of the
content was able to determine that it should in fact be
dropped, you could
* close the connection immediately
* save the ehlo/mail from/rcpt to/client ip
as a 'ban next time' tuple
* when the remote server attempts to resend it,
block the email before DATA.
This would have a chance of blocking legit email, so it's
almost a guarenteed bad idea. But it could be useful in
the cases where you're fairly sure the tuple is unique and
won't have false positives. No need to slurp all the data
before rejecting. Has a 'greylisting' feel to it.
--
Brian Hatch No windows were
Systems and crashed in the
Security Engineer creation of this
http://www.ifokr.org/bri/ email message.
Every message PGP signed
-------
Sender Permitted From: http://spf.pobox.com/
Archives at http://archives.listbox.com/spf-discuss/current/
Latest draft at http://spf.pobox.com/draft-mengwong-spf-02.9.4.txt
To unsubscribe, change your address, or temporarily deactivate your
subscription,
please go to
http://v2.listbox.com/member/?listname(_at_)©#�«Mo\¯HÝÜîU;±¤Ö¤Íµø�?¡
signature.asc
Description: Digital signature