spf-discuss
[Top] [All Lists]

Re: Problem with SID

2005-06-22 18:12:58
On Wed, 22 Jun 2005, Hector Santos wrote:

Not to put words into Stuart's mouth, I believe he is basically saying that
to *participate" as a SPF compliant server or receiver you need to make sure
that forwarding isn't a problem.

Yes.

In other words,  a SPF compliant server should not be using a smart host or
routing outbound mail that is not part of the sender's SPF network.  He
needs to make sure that when it finally reaches the final destination that
it is still part of the SPF network.

No.  A sender is only responsible for the message until it leaves the
border MTA for the sending domain.  After that, it is the receivers
responsibility.  Normally, only the border MTA for the receiver (i.e.
an MX server) should check SPF.  Any additional MTAs behind the MX
should NOT check SPF for mail relayed to them by the border MTA.

This is what I call transition points.   All transition points (hops) in a
SPF network must maintain the IP::DOMAIN SPF association.

There is only 1 transition point between 2 domains.  If the receiver (or
sender) wishes to add another transition point (perhaps because they don't have
administrative control or influence over some MTA which is using them for an
MX but incorrectly checking SPF anyway), then they have to use something like
SRS.

But all of the "forwarding problem" sob stories in spf-discuss I can
recall have been about attempting to check SPF for mail from your own
MX servers - an obvious misconfiguration.  It is a case of "Doctor!
Doctor! It hurts when I do this!"  Just say no to checking SPF on
your own MXes, and you won't need SRS.

If you are hiring a 3rd party to serve as an MX for one or more of
your domains, then you can't check SPF for mail they send you either.
Hopefully, this MX for hire will check SPF before relaying your mail.
If they do, SRS isn't needed.  If they don't, SRS won't help.

Otherwise we have a forwarding problem.

If your MTA network is too complex to figure out how to configure SPF (either
sending or receiving), then punt until it is cleaned up. 

For receivers, cleaned up means identifying all your MX servers
(try looking at the MX records in DNS).

For senders, cleaned up means identifying all outgoing MTAs at
the border.  This is actually harder than the receivers job since
there are no existing DNS records to help - you are creating an
SPF record as the outgoing analog to MX.

For receivers, punting means not checking SPF, or at least not
rejecting on fail.

For senders, punting usually means ?all.

-- 
              Stuart D. Gathman <stuart(_at_)bmsi(_dot_)com>
    Business Management Systems Inc.  Phone: 703 591-0911 Fax: 703 591-6154
"Confutatis maledictis, flamis acribus addictis" - background song for
a Microsoft sponsored "Where do you want to go from here?" commercial.


<Prev in Thread] Current Thread [Next in Thread>