-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Gunnar Hjalmarsson wrote:
To make my mail server SPF compliant, I have it do SRS-rewriting of all
outgoing envelope-from addresses, using the method described at
http://srs-socketmap.info/sendmailsrs.htm . In my capacity as server
admin, possible messages to the domain used for SRS go to me.
Yesterday I received a "spam challenge" message from one of those
challenge/response filter services, which let me know that the
[SRS-signed address] address was not whitelisted. The "spam challenge"
message was sent to the rewritten envelope-from address, not to the
"From:" address.
C/R systems definitely should not send their challenges to the "From:"
address. The use of the envelope sender is as appropriate as it gets (if
C/R systems can be considered appropriate in the first place).
The incident made me realize that having all outgoing envelope-from
addresses rewritten clashes with the challenge/response approach. Not
that I personally care much about the latter, but some users may
consider it a problem.
Anybody who knows of a simple solution to this problem?
Stuart suggested one. I don't know any other simple solution. The C/R
system could hold on to the original address embedded in the SRS-encoded
address instead of treating the SRS address as opaque, but that would
require the C/R system to support SRS, and also this would open the system
up to abuse.
C/R systems are bad, period.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (GNU/Linux)
iD8DBQFCywt0wL7PKlBZWjsRAj4pAKDal3SvU7ewbRagpumwp6Kfi3ma9gCePTs6
cSkvCZyPJatpfdbWRCIcwJc=
=InbC
-----END PGP SIGNATURE-----