On Tue, 2004-11-23 at 12:30 +0000, Mark wrote:
Not doing SPF checks for mail that is going to be forwarded is just
passing the phising buck to the next hop. It could be a policy; it is not
mine, however.
That's just the way SPF works though -- it's only a hopwise check,
because any host can decide to do SRS as it sees fit, as you say.
Someone may receive a message from your server with a reverse-path of
SRS0=Hx=SDFGSDRGT=infradead(_dot_)org=dwmw2(_at_)asarian-host(_dot_)org and
they've got
_absolutely_ no clue whether it came from me or not.
SPF is about the legitimacy of a relay. You cannot pass a "neutral",
"pass", or "unknown" to the next hop, as the forwarder introduces his own
relay, with his own SPF records.
Right. SPF doesn't give you any visibility past the last hop. It doesn't
give any kind of true end-to-end indication that the mail really did
come from the address you think it may come from.
Therefore, looking at it from the
perspective of the relay, the SPF record of the incoming relay is really
irrelevant with regard to forwarding (except when the incoming mail
"fails" to begin with).
Right.
The forwarding "problem" is as old as SPF. In practice, however, when I do
SRS, the problem is as good as solved. Because forwarding, via, say, a
..forward file, is rarely a multiple-hop thing. Theoretically, yes, the
mail I forward could hit another .forward, at the receiving machine; so it
could be an A -> B -> C -> D thing. Of course. But that would be silly,
because a common-sense user wanting his mail forwarded, should just use
A -> C -> D, where I am C (cutting out B). And if I, as C, do SRS, then
things work. And, in practice, without the cooperation of the entire
world.
Actually a lot of people do the A->B->C->D thing. The host 'B' may be
one of many hosts on which a user has a mail account such as kernel.org,
ftp.uk.linux.org, etc. The 'C' could be my infradead.org account; a
permanent address. And 'D' may be wherever I actually want my mail to
end up this week.
I wouldn't want to change all the numerous instances of host 'B' to a
different address when I change the C->D .forward file (actually that's
a TXT record in a private DNS domain, not a .forward, but it has the
same effect). So I've always used A->B->C->D, and I know a lot of other
people who do likewise.
--
dwmw2