On Fri, 8 Jul 2005, Julian Mehnle wrote:
Forwarder whitelisting should be done based on the HELO identity, not the
MAIL FROM identity.
That is not very useful, because the forwarder can have many MTAs -
all with different HELOs. And the set is subject to change.
In my opinion, whitelisting of forwarders should be done based on
a MAIL FROM identity - but not necessarily the MAIL FROM the forwarder
uses to send mail himself. The whitelisted domain should be the
MAIL FROM the forwarder *would* use if they were doing MAIL FROM rewriting.
This may not always be obvious, and is a barrier to correctly
implementing strict SPF checking.
If the forwarder has an SPF record for the whitelisted MAIL FROM,
great. But a local substitute can be used if not (e.g. "v=spf1 ptr -all"),
effectively reusing the SPF machinery to simplify listing IP addresses.
--
Stuart D. Gathman <stuart(_at_)bmsi(_dot_)com>
Business Management Systems Inc. Phone: 703 591-0911 Fax: 703 591-6154
"Confutatis maledictis, flamis acribus addictis" - background song for
a Microsoft sponsored "Where do you want to go from here?" commercial.