On Wed, 22 Jun 2005, Dick St.Peters wrote:
Stuart D. Gathman writes:
But all of the "forwarding problem" sob stories in spf-discuss I can
recall have been about attempting to check SPF for mail from your own
MX servers - an obvious misconfiguration.
What do matter are that I receive the mail for example.com and that my
user wants it relayed to his account at BigIsp.com. This has always
been easy, and I do it for a bunch of domains.
You are right. This is not your fault. It is the fault of BigIsp or
perhaps the BigIsp user.
If you are relaying mail to BigIsp.com, you are effectively an MX
for (that user at) BigIsp.com. Ideally, BigIsp.com would be SPF savy
enough not to check SPF for your relay, for that user at least.
Since you probably can't convince them to do that, you will have to
use SRS. This is the case I described as "not having administrative
control or influence over an MTA behind your MX". BigIsp.com is
behind your MX for that address, and if they are checking SPF incorrectly
(which they are, apparently), you have little recourse other than SRS.
BigIsp.com could reasonably argue that it is actually working correctly
because they don't support user configured forwarding. In that case,
it is the fault of the BigIsp.com user that expects whatever random
mail relay they point at BigIsp.com to work anyway.
But they are your customer, and they expect *you* to work around it.
So you have to implement SRS to work around it. SRS is easy. I'm
sure you know that and are just worried about broken mailing lists and such.
SPF doing what it's supposed to do breaks this very common forwarding
of mail. THAT is the forwarding problem.
It may be common, but it wasn't good even before SPF. If you don't
have an administrative relationship with anydomain.com, you shouldn't just
relay mail to their MXes. You can, however, resend mail to them.
To flesh out why mail forwarding is common, in a typical scenario
example.com would involve multiple users receiving mail at addresses
in the same example.com domain while using a variety of destination
email accounts at a variety of providers.
Since the variety of destination accounts don't know about your
unauthorized relay, you should resend (e.g. SRS) the mail instead.
I do this for users who are on vacation and their company doesn't have
a webmail server. They use an app to setup a sendmail .forward for their
mailboxes to aol or whatever, and pysrs takes care of turning the sendmail
forward into a proper resend. Before SRS and before SPF, there were
other less general utilities to resend mail to arbitrary destinations
and handle any DSNs. Sendmail even has a feature, the "plussed user", to
support proper resending and other MFROM rewriting (although SRS doesn't
use it).
BTW, I do SRS for *all* outgoing mail, even when it doesn't need it. This
allows me to reject forged DSNs. This is not a problem for functional
mailing list software (e.g. listbox.com or GNU mailman). If you *must* use a
broken mailing list, just turn off SRS for the broken list's domain.
--
Stuart D. Gathman <stuart(_at_)bmsi(_dot_)com>
Business Management Systems Inc. Phone: 703 591-0911 Fax: 703 591-6154
"Confutatis maledictis, flamis acribus addictis" - background song for
a Microsoft sponsored "Where do you want to go from here?" commercial.