begin Tuesday 23 March 2004 14:30, David Woodhouse quote:
You can be more specific than that. The purpose and intent of SRS is to
fix the broken assumptions of SPF
Not necessarily the only use. SPF works wonders with other
sender-validation schemes as well. Here in Luxembourg, one large
ISP (pt.lu) is doing a very simple algorithm: if Envelope From is
pt.lu, but the IP is not one of pt.lu's it rejects.
We have couple of addresses on our server which forward to pt.lu
addresses. As soon as pt.lu put this filtering into place, we started
noticing, because these forwarded addresses started bouncing all mails
from pt.lu . That's when we put SRS into place.
Bottom line: SPF is not the only from-based filtering tool, and SRS
helps with other from-based filtering tools as well.
[...]
So you don't need to rewrite when forwarding mail from a domain with no
SPF records,
Not valid if domain is "protected" by a different sender validation
system such MS caller-id for email, DMP, or just a manual access list
at the receiver...
Our example sender (Pt.lu) does not (yet) publish SPF records, thus
any rule such as "Do not apply SRS unless sender is positively known
to publish an SPF record" would have broken in this case.
and you don't need to rewrite when forwarding mail from a
domain for which you _happen_ to be listed as an acceptable sender.
Agreed on this one.
And
you don't need to rewrite when sending to a recipient who isn't going to
check SPF.
Dangerous. The recipient system may not be checking today, but he
might tomorrow. Also, it might be hard to find out dynamically whether
any checking occurs (failed mails might be tagged by recipient MTA
rather than refused, or they might be silently discarded, or they
might be bounced at a later stage...).
Basically, the question you need to ask is "Is the flawed assumption of
SPF going to cause this message to be rejected because I'm sending it
from this particular IP address". And that question _is_ one that can be
answered in the output stage of your MTA.
Indeed. Except I would state it as "Is there _a_possibility_ that the
flawed assumption of SPF is going to cause this message to be rejected
because..."
Here is how we do it (at lll.lu and linux.lu): we apply SRS by default
as soon as we forward mails to destinations outside our administrative
realm (assuming From is not local, of course).
Currently, on our servers we are applying the following set of rules:
(1) Do not rewrite if From is local (in "w" class)
R$* < @ $=w > $* $@ $1 < @ $2 > $3
R$* < @ $=w . > $* $@ $1 < @ $2 . > $3
(2) Do not rewrite if target system ($&h) is listed in our
"noSrsMailers" file (which contains primary MX'es for who we are
secondary) The noSrsMailers basically contains whatever
destination are also in /etc/mail/mailertable ...
R$* $: $&h $| $1
R$={noSrsMailers} $| $* $@ $2
R$* $| $* $: $2
(3) Do not rewrite if "To" is an SRS address (in order to prevent
exploits which allow to get an infinite amount of SRS cookies from
having just one... Cf my mail from last weekend)
R$* $: $1 $>IsSrs $&u
R$* YES $@ $1
R$* NO $: $1
(4) In all other cases, we do SRS:
R$* $: $(make_srs $1 $)
Regards,
Alain