On Wed, 22 Jun 2005, Dick St.Peters wrote:
Stuart D. Gathman writes:
There is no forwarding problem in SPF1.
It is true that to correctly check SPF, a receiver that includes forwarders
as
part of their receiving MTA network must take this part of their network
into
account.
There IS a forwarding problem with SPF1, and it has nothing to do with
forwarders as part of a receiving MTA network. It has to do with
forwarding to remote networks.
For example, I handle email for a bunch of small businesses, meaning
mail sent to addresses in their domains comes here, and I disperse it
to wherever they want it to go. If JaneDoe(_at_)aol(_dot_)com sends mail to
one
of my users with mail forwarded to JohnBuck(_at_)BigIsp(_dot_)com, then
unless I
do something special, BigIsp.com sees my little server trying to give
it mail with an aol.com MAILFROM. My server would flunk an SPF test
for legitimate senders of mail from aol.com. This is the SPF1
forwarding problem.
It is not an SPF problem because SPF only applies to the transfer from
an AOL server to an MX for the recipient domain. Once that transfer
takes place, SPF is out of the picture - and attempting to apply it
is incorrect.
Your server is *supposed* to flunk SPF for aol.com mail, because you
are not an AOL MTA! Your mistake is having "internal" MTAs behind
your server check SPF on mail coming from your server.
I also do exactly what you describe for 40 small business MTAs.
In fact, any secondary MX server does exactly what you describe.
These cases are the most trivial to handle. Your MTA is trusted just
like a secondary MX server. Your clients are relying on you to do
any SPF checks. Your clients should not be doing any SPF checks.
If they also run servers that accept mail, those server should not
check SPF for mail coming from your trusted server, because you have
already done it.
For instance, in pymilter, I list secondary MXes and other forwarders
with a line like this:
# Connections from a trusted relay can trust the first Received header,
# and have already been SPF checked.
trusted_relay = ??.99.67.186
I get around it by using SRS, but SRS introduces edge-case problems of
You don't need SRS for your example. SRS is useful if you don't have
control of the configuration for MTAs behind your MX.
--
Stuart D. Gathman <stuart(_at_)bmsi(_dot_)com>
Business Management Systems Inc. Phone: 703 591-0911 Fax: 703 591-6154
"Confutatis maledictis, flamis acribus addictis" - background song for
a Microsoft sponsored "Where do you want to go from here?" commercial.