On Tue, 2005-07-05 at 15:11 -0700, Greg Connor wrote:
If someone were to come up with a DNS server that knows how to distinguish
your SRS0+hash, via some exists: query, do you think you would be willing
to publish an SPF record to test it with? Basically the exists: query
would pass back the full local part and your DNS server would provide a
yes-or-no answer, which is similar to what CBV does, only CBV wouldn't be
required at the recipient. (You would probably want to publish using ?all
until you are confident that the trick DNS server is working.)
TBH I wouldn't be particularly happy to experiment with publishing an
SPF record or running experimental 'stunt DNS' servers on my machines.
I've got a lot of things higher up on my TODO list, including fixing my
greylisting not to be such a disgusting hack and assimilating a bunch of
new mail systems which I've been asked to take over.
But I'll certainly help out if you need some pointers in setting up your
own test bed. You can do on just one address for testing purposes if you
want -- that's what I did in the beginning.
You can set it up SRS-rewrite only your _own_ outgoing mail, and then
after watching the logs for a while you can make it actually start
rejecting MAIL FROM:<> / RCPT TO:<gconnor(_at_)nekodojo(_dot_)org>
You don't need to point nekodojo.org's SPF record at the stunt DNS
server either. You can just make that record mark the localpart
'gconnor' as invalid. If your SRS-rewriting actually rewrites to
something like
'SRS0+xx+yy+nekodojo(_dot_)org+gconnor(_at_)srs(_dot_)nekodojo(_dot_)org' (i.e.
at a different
domain) then you can then play with the SPF records for _that_ domain to
your heart's content.
If that could be made to work, that might be a much better solution to the
forwarding problem than the one I described earlier. And it could be done
proactively by the sender without depending on forwarders to do anything.
I see no reason why it shouldn't work, although personally I'm much
happier letting the recipients use SMTP callouts rather than playing
with stunt DNS servers. My configuration is baroque enough without
trying to reproduce parts of it outside the confines of the MTA.
The majority of the benefit to me comes from the fact that I no longer
accept those bounces -- the fact that third parties no longer accept
joe-jobs if they bother with SMTP callouts is just an added bonus as far
as I'm concerned.
--
dwmw2