On Sat, 2004-11-20 at 20:47 +0100, Roger Moser wrote:
Meng Weng Wong wrote:
The only case where you might not want to SRS a return path is where SES
is happening, but even then, the rewritten address will pass SPF anyway.
SRS breaks SES. The mail will be rejected if the mail is forwarded by a
second forwarder (not doing SRS) after being forwarded by a forwarder that
applied SRS.
Didn't we cover this? This isn't really a special case. This is just a
subset of the fact 'SPF with -all breaks mail because people aren't
doing SRS'.
When the first forwarder applies SRS they are adding their own envelope
-- they're taking responsibility for the mail. It's no longer claiming
to be from the original source.
When f1.com sends that mail to f2.com and it's sent on without SRS to
rejectsfail.com, it make any difference at _all_ whether the original
mail was an SES-signed mail forwarded by f1.com, an _unsigned_ mail
forwarded by f1.com, or a mail which was actually originated at f1.com.
The combination of f1.com's '-all' record and the lack of SRS at f2.com
(as indeed in most of the real world) is what broke that mail. It has
nothing to do with SES.
--
dwmw2