On Tue, 16 Aug 2005, Arjen de Korte wrote:
1. check if HELO is authorized or blocked by SPF
2. if not, check if HELO is authorized or blocked by CSA
3. check if HELO is at least RFC compliant
4. if not, REJECT
5. if HELO is authorized or RFC compliant, send DSN to
postmaster(_at_)HELO(_dot_)domain(_dot_) If DSN is rejected, REJECT
6. then send DSN to MAIL FROM. If DSN is rejected, REJECT.
7. if both HELO and MAIL FROM accept DSN complaining about
SPF fail/softfail, accept message.
(DSN success is cached to rate limit sending of DSNs)
What do you all think?
This looks to me like an awful lot of work, for what is essentially the
typical problem with receiving inbound mail from forwarders. The solution
I use, is to create a local policy which gives the outbound mailservers of
CompanyB a neutral result (ie, treat them as any other forwarder used)
should the mail be rejected if 'efax.com' where ever to publish '-all'.
I don't want to simply authorize this forwarder - they are not and should
not be authorized. I want to tolerate this forwarder, and automate nagging and
complaining about it. The WARNING DSNs are the vehicle for the nagging and
complaining. Furthermore, the procedure should apply to FAIL and SOFTFAIL
in general. Either the sender screwed up their SPF record, or we
have an unauthorized forwarder - in general we don't know which, so
I send a DSN to both.
--
Stuart D. Gathman <stuart(_at_)bmsi(_dot_)com>
Business Management Systems Inc. Phone: 703 591-0911 Fax: 703 591-6154
"Confutatis maledictis, flamis acribus addictis" - background song for
a Microsoft sponsored "Where do you want to go from here?" commercial.