On Tue, 2004-03-23 at 13:07 +0000, Shevek wrote:
The whole point of this thread is that the set of conditions you propose
here is incomplete, and should include at least "and I am not the
secondary MX for the recipient". There may be other conditions.
You're right. I was too lax in my conditions, mostly because I was
trying to be polite and downplay the use of the 'spf-afflicted-domains'
configuration option in my implementation.
I shouldn't have said "perhaps even rewriting only if the recipient
domain is actually known to check SPF". I should have made that
stronger, so it was at least "and not rewriting for domains known not to
check SPF on mail from this host".
This would preclude rewriting for any mail destined for primary MX hosts
for which we're operating as backup MX -- because we _know_ that the
primary shouldn't be doing SPF checks on mail received from the
secondary.
Either way, SRS should only be performed when explicitly rewriting
recipient addresses, not just when some set of approximate conditions
matches. That is the purpose and intent of SRS.
You can be more specific than that. The purpose and intent of SRS is to
fix the broken assumptions of SPF -- by making them come true. It's to
avoid causing an SPF 'fail' result on what has until now (and indeed
until SPF's Brave New World) been considered normal, valid mail
forwarding behaviour.
So you don't need to rewrite when forwarding mail from a domain with no
SPF records, and you don't need to rewrite when forwarding mail from a
domain for which you _happen_ to be listed as an acceptable sender. And
you don't need to rewrite when sending to a recipient who isn't going to
check SPF.
Basically, the question you need to ask is "Is the flawed assumption of
SPF going to cause this message to be rejected because I'm sending it
from this particular IP address". And that question _is_ one that can be
answered in the output stage of your MTA.
--
dwmw2