spf-discuss
[Top] [All Lists]

Re: SES

2004-08-18 01:43:31
David Woodhouse wrote:

Despite the one layer-conflicted ezmlm setting to use the
envelope-from for checking membership-status, I have been using my
own SES implementation, almost from day one, and with great success.
I even put a notice in my SMTP banner:

--- 220- Effective immediately: Asarian-host no longer accepts
--- 220- DSN recipients without valid SRS signature.

The URL above implies that you reject bogus bounces only after the
DATA command. Yet you don't -- and this is a _good_ thing because it
means you allow third parties doing CBV to reject mail with your
addresses faked as the sender. You should probably update your
documentation.

The documentation followed a more conservative approach than what I
eventually implemented and went with.

Empirical data over several months showed that hardly anyone, if at all,
makes a legitimate CBV call with an empty envelope-from to an unsigned
recipient. Nor is there any good reason they should, really. If people per
se must check the validity of my unsigned address, then they can do so with
a non-zero envelope-from.

The cost of wasting all that extra bandwidth (always a scarce commodity) to
wait out the whole DATA phase, just to accommodate the odd broken client,
just did not add up. And I say "broken" with good reason, because a real DSN
takes for recipient the address it received as envelope-from in the SMTP
dialogue. That there are folks out there who thought it was a good idea to
"fake" a DSN (for whatever purpose), and use for recipient something which
did NOT come out of the SMTP dialogue, is really, ultimately, their problem.

In spf-milter I no longer wait for the DATA phase either. I should indeed
update the documentation, though.

- Mark

        System Administrator Asarian-host.org

---
"If you were supposed to understand it,
we wouldn't call it code." - FedEx


<Prev in Thread] Current Thread [Next in Thread>