This might be a fix for mail-lists and forwarding which will require the
MTA's to do nothing at all, but will have a higher overhead, so is not a
long-term solution. My intention here is to create a "fix" for SPF's known
problem areas, so that we can continue to promote the publication of records
and the use of milters, while a more permanent solution to mail-lists and
forwarding is found. Even though there is a greater overhead in this
scheme, the percentage of mail which would go through the entire process is
probably very small, and the increase in the overhead might not be
significant.
So, do the initial checks on the envelope headers as usual, and if that
doesn't create a "pass" - check the internal, data Reply-To: , From: ,
Sender: and then the Received: headers *in reverse order* until it either
finds a "pass" or runs out of headers - in which case it's a fail.
Like this -
Step 1.
Use the mailfrom envelope header fqdn spf record if it exists or pass on to
the next step -
Check whether the mailfrom envelope header domain/IP/etc is authorised
If yes - pass - If not -
Check whether the data ReplyTo: header domain/IP/etc is authorised
If yes - pass - If not -
Check whether the data From: header domain/IP/etc is authorised
If yes - pass - If not -
Check whether the data Sender: header domain/IP/etc is authorised
If yes - pass - If not -
Check whether the bottom entry of the data Received: header domain/IP/etc
is authorised
If yes - pass - If not -
Check whether the next entry up of the data Received: header domain/IP/etc
is authorised
If yes - pass - If not -
Continue up the list of data Received: headers until there is a match, or
proceed to next step.
Step 2.
Use the data ReplyTo: header fqdn spf record if it exists or pass on to the
next step -
Check whether the mailfrom envelope header domain/IP/etc is authorised
If yes - pass - If not -
Check whether the data ReplyTo: header domain/IP/etc is authorised
If yes - pass - If not -
Check whether the data From: header domain/IP/etc is authorised
If yes - pass - If not -
Check whether the data Sender: header domain/IP/etc is authorised
If yes - pass - If not -
Check whether the bottom entry of the data Received: header domain/IP/etc
is authorised
If yes - pass - If not -
Check whether the next entry up of the data Received: header domain/IP/etc
is authorised
If yes - pass - If not -
Continue up the list of data Received: headers until there is a match, or
proceed to next step.
Step 3.
Use the data From: header fqdn spf record if it exists or pass on to the
next step -
Check whether the mailfrom envelope header domain/IP/etc is authorised
If yes - pass - If not -
Check whether the data ReplyTo: header domain/IP/etc is authorised
If yes - pass - If not -
Check whether the data From: header domain/IP/etc is authorised
If yes - pass - If not -
Check whether the data Sender: header domain/IP/etc is authorised
If yes - pass - If not -
Check whether the bottom entry of the data Received: header domain/IP/etc
is authorised
If yes - pass - If not -
Check whether the next entry up of the data Received: header domain/IP/etc
is authorised
If yes - pass - If not -
Continue up the list of data Received: headers until there is a match, or
proceed to next step.
Step 4.
Use the data Sender: header fqdn spf record if it exists or pass on to the
next step -
Check whether the mailfrom envelope header domain/IP/etc is authorised
If yes - pass - If not -
Check whether the data ReplyTo: header domain/IP/etc is authorised
If yes - pass - If not -
Check whether the data From: header domain/IP/etc is authorised
If yes - pass - If not -
Check whether the data Sender: header domain/IP/etc is authorised
If yes - pass - If not -
Check whether the bottom entry of the data Received: header domain/IP/etc
is authorised
If yes - pass - If not -
Check whether the next entry up of the data Received: header domain/IP/etc
is authorised
If yes - pass - If not -
Continue up the list of data Received: headers until there is a match, or
fail.
In reality the milter could probably shortcut some of this, and there is a
question as to what order to check the data headers, but that can be sorted
out later - or even made selectable by users. Passes produced by these more
convoluted checks could be weighted according to the recipients wishes (eg
spamassassin).
All rejects will be bounced in exactly the same way as they are at the
moment.
This scheme requires no action by anybody except the receiver. Obviously if
the mail-list or forwarder has an spf record that is correct, the process
will be shortened. During the early days, a mail that requires such
convoluted checking could trigger a mail to the postmaster of the domain
causing trouble, with a short note of the problem and how to publish his spf
record and make his service compliant.
Constructive criticism welcomed. :-/
/me hides behind the door.......
Slainte,
JohnP.
johnp(_at_)idimo(_dot_)com
ICQ 313355492