Re: Survey: When does SPF cause legitimate email to be rejected?

Thanks for the suggestion. I actually have that implemented already, it's 
just that some users have been getting by using port 25 and leaving SSL 
switched off and they don't like being asked to change their settings, 
particularly when they've just phoned up upset. Ultimately I suppose I'll 
have to put my foot down and insist they comply. In any case I only 
mentioned it here because it is a source of "legitimate mail" SPF errors for 
us.
--Kaas


----- Original Message ----- 
From: "Seth Goodman" <sethg(_at_)GoodmanAssociates(_dot_)com>
To: <spf-discuss(_at_)v2(_dot_)listbox(_dot_)com>
Sent: Monday, August 08, 2005 10:08 PM
Subject: RE: [spf-discuss] Survey: When does SPF cause legitimate email to 
be rejected?

> > From: Kaas Baichtal
> > Sent: Saturday, August 06, 2005 3:28 PM
> >
> >
> > I think the most common two instances I've seen on my mailservers
> > both fall
> > loosely into this category:
> >
> > > * Legitimate email being rejected due to being sent from the wrong
> > >  location.  (aka the traveling mailman problem, or the roaming/home
> > >  user problem.)
> >
> > 1) It's been difficult to get email through to our secure mailserver from
> > all ISPs when users are travelling. Some of the dial up ISPs seem to grab
> > the email packets and make them go through their own servers instead,
> > regardless of how "outgoing mailserver" is set on the email client. This
> > results in some of their mail to 3rd parties that check SPF
> > getting blocked
> > as coming from an illegitimate IP. We've had some success getting around
> > this using alternate ports but when users are on the road they
> > are often not
> > highly receptive to spending lots of time on the phone screwing
> > around with
> > their mail settings to work it out.
> Have you considered transitioning your users to SMTP AUTH?  They would
> submit mail and authenticate over port 587 whether they are at home or on
> the road.  I've never heard of anyone blocking that port and the setup is
> trivial in most MUA's.  Implementing TLS is not required, even though it 
> is
> better security.  Submitting plaintext through port 587 from outside your
> network is no worse than submitting plaintext through port 25 from the 
> same
> location (when that port isn't blocked).
>
> --
>
> Seth Goodman
>
> -------
> Sender Policy Framework: http://spf.pobox.com/
> Archives at http://archives.listbox.com/spf-discuss/current/
> To unsubscribe, change your address, or temporarily deactivate your 
> subscription,
> please go to 
> http://v2.listbox.com/member/?listname=spf-discuss(_at_)v2(_dot_)listbox(_dot_)com