spf-discuss
[Top] [All Lists]

Re: Forwading/Redirecting: The problem as I see it....

2005-07-08 09:38:43
On Fri, 8 Jul 2005, Julian Mehnle wrote:

Forwarder whitelisting should be done based on the HELO identity, not the 
MAIL FROM identity.

That is not very useful, because the forwarder can have many MTAs -
all with different HELOs.  And the set is subject to change.

In my opinion, whitelisting of forwarders should be done based on
a MAIL FROM identity - but not necessarily the MAIL FROM the forwarder
uses to send mail himself.  The whitelisted domain should be the
MAIL FROM the forwarder *would* use if they were doing MAIL FROM rewriting.
This may not always be obvious, and is a barrier to correctly
implementing strict SPF checking.

If the forwarder has an SPF record for the whitelisted MAIL FROM,
great.  But a local substitute can be used if not (e.g. "v=spf1 ptr -all"),
effectively reusing the SPF machinery to simplify listing IP addresses.

-- 
              Stuart D. Gathman <stuart(_at_)bmsi(_dot_)com>
    Business Management Systems Inc.  Phone: 703 591-0911 Fax: 703 591-6154
"Confutatis maledictis, flamis acribus addictis" - background song for
a Microsoft sponsored "Where do you want to go from here?" commercial.


<Prev in Thread] Current Thread [Next in Thread>