Le samedi 24 Juillet 2004 01:44, Gilbert, Joseph a écrit :
The biggest problem I see is that it breaks or is broken by "store and
forward" per RFC 974 and RFC 2821. How do you set up SPF so that mail can
be safely received by a secondary mail server and forwarded on to the
primary?
Rather easily:
1/ Have all your secondary servers perform SPF checks as email enters "your
network of MXes"
2/ Have your primary accept what comes from your secondary without performing
further SPF checks, knowing it has already been done, that mail that should
be refused at MTA level has already been, and that proper headers reflecting
the results of the SPF check have already been added by your secondary.
Actually, the "secondary MX problem" is not specific to SPF. Many spammers
attack the lowest priority MX first, assuming it may have a weaker filter
configuration than the primary, and that the primary will have hard times
rejecting what is transmitted thru its secondary.
I actually had to quit using several secondary MXes for this very reason, and
this was before SPF.
My policy regarding this now is: Your secondary servers should be at least as
severe (and possibly more) about accepting mail, than your primary is.
If one cannot make sure that his secondary will be as severe, or worse, than
his primary, he should quit using this secondary.
Regards.
--
Michel Bouissou <michel(_at_)bouissou(_dot_)net> OpenPGP ID 0xDDE8AC6E