spf-discuss
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: forwardmaster autoresponder

2005-04-27 18:07:23
from [Frank Ellermann] [Permanent Link] 
Radu Hociung wrote:


What you probably need need is to identify forwarders by
their HELO and IP against SPF or CSV or a "forwardmaster"
list of hardwired IPs (worst case).



No, that's not at all what is needed.


IBTD, in that case your idea wouldn't be better than say
trusted-forwarders.org and its variations like op=trusted.

In your example:


1. 1.1.1.1 and sender(_at_)hotmail(_dot_)com against SPF record @
   hotmail.com


You forgot step 0, where you check the HELO forwarders.com
against its policy.  If you insist on a policy in step 2,
then step 0 should result in a PASS for the HELO.

It would be nice to skip step 1.  In theory you have the
data to know that step 1 cannot / should not work for mails
from forwarders.com.


2. 1.1.1.1 and account(_at_)forwarders(_dot_)com against SPF record @
   forwarders.com


Two new ideas, the one I saw was "local white list based on
the RCPT TO", here you could reuse the result of step 0 with
a forwardmaster-list based on the FQDN forwarders.com

I missed our secod idea, the forwardmaster-list contains
complete addresses, not only the FQDN.  Apparently that does
not work well for Web hosters or quasi-MX services, if they
forward all mails for a complete domain to recipient(_at_)example

Or could account(_at_)forwarders(_dot_)com be a "virtual address", only
used to get a "virtual identity" for your step 2 ?  In that
case it would work, but you need another SPF test in step 2.

What you get is great flexibility (the policy of account1@
is not necessarily the same as account2(_at_)forwarders(_dot_)com) at
the cost of another step 2 SPF evaluation.

IMHO you should remove this flexibility.  Forwarders.com is
unwilling to implement SRS, otherwise you wouldn't need the
forwardmaster-kludge.  Therefore they also don't offer per-
user-policies.  And then greater flexibility is a waste of
time on the side of the MX for recipient(_at_)example

I'd opt for a HELO based forwardmaster-list.  And then it's
as I said in the previous article, you have to be sure that
HELO forwarders.com is not forged.

Either because CSV or SPF said PASS, or because your white
list based on RCPT TO (= forwardmaster-list) enumerates the
IPs expected for a valid HELO forwarders.com

                         Bye, Frank
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: Re: forwardmaster autoresponder, Radu Hociung
Next by Date:  Re: Re: forwardmaster autoresponder, Radu Hociung
Previous by Thread:  Re: Re: forwardmaster autoresponder, Radu Hociung
Next by Thread:  Re: Re: forwardmaster autoresponder, Radu Hociung
Indexes:  [Date] [Thread] [Top] [All Lists]