On Tue, 5 Jul 2005 mail(_at_)gunnar(_dot_)cc wrote:
To make my mail server SPF compliant, I have it do SRS-rewriting of all
outgoing envelope-from addresses, using the method described at
http://srs-socketmap.info/sendmailsrs.htm . In my capacity as server
admin, possible messages to the domain used for SRS go to me.
Not sure why this is needed to be "SPF compliant", but it is useful
for blocking bogus bounces or having only one SPF record for all outgoing
domains.
Yesterday I received a "spam challenge" message from one of those
challenge/response filter services, which let me know that the
[SRS-signed address] address was not whitelisted. The "spam challenge"
message was sent to the rewritten envelope-from address, not to the
"From:" address.
The incident made me realize that having all outgoing envelope-from
addresses rewritten clashes with the challenge/response approach. Not
that I personally care much about the latter, but some users may
consider it a problem.
Anybody who knows of a simple solution to this problem?
I just add such services to 'no-srs-forwarders', which turns off
SRS/SES for that recipient domain in my implementation.
Other related comments?
If you are doing SRS because you are a forwarding service and your
users have no way to whitelist you, then any user that
1) implements a challenge response filter
2) on an address that they also forward to and
3) have no way to whitelist the forwarders but
4) yet still check SPF and
5) also reject on fail
is going to have problems. Doctor, doctor! It hurts when I do this...
--
Stuart D. Gathman <stuart(_at_)bmsi(_dot_)com>
Business Management Systems Inc. Phone: 703 591-0911 Fax: 703 591-6154
"Confutatis maledictis, flamis acribus addictis" - background song for
a Microsoft sponsored "Where do you want to go from here?" commercial.