Simon Tyler wrote:
---- Message from mailto:<johnp(_at_)idimo(_dot_)com johnp
<johnp(_at_)idimo(_dot_)com> at 23-Sep-2005
10:42:32 ------
I know it is *my* boundary (actually it is not my boundary but the boundary of a
customer using our software over which we have no control). We cannot guarantee
that
the AV provider will do it and the customer may not have the option of using a
different AV provider. It is clearly in the AV providers interest to do it and
I'm
sure many will but all may not.
A good RFC will provide a solution to this or at least advice.
Does the outsourced AV server check SPF? Does it do SRS? Either of these will
enable
you to check you incoming mail as if it is forwarded from the AV server - which
is
effectively what is happening.
No. The fundamental assumption here is that the AV gateway is AV only and is not
SPF\SRS aware in anyway. Hence the first point we are able to check SPF is
after the AV
gateway.
This is a real world problem for one of our customers who has just started
using SPF in
out product. He has AV outsourced but wishes to check SPF himself. I am trying
to find
a technical solution to the problem to include in the product. The only one I
have
thought of so far is to check the Received headers in the message when teh
message
arrives at the first SPF aware server and use the IP address in the Received
header.
This would work as long as you trust the Received headers and they are well
formed. It
is not nice though.
The whole point of SPF is that it does *not* rely on the e-mail headers. It checks the
mail at SMTP time, before the data is sent.
A second (non-technical) solution would be to adjust MX records. Most
outsourced AV is
done by MX records being changed to point to the AV gateway which then forwards
to the
real mail server. You could introduce an additional SPF gateway before the AV
gateway
simply to do SPF and change the MX records to point to it but this is not
really a good
solution.
That would be my choice. Configure a mailserver to receive all the mail, check SPF and
forward to your AV server. This is good because you will have physical control of the SPF
checking and the decision to reject on fail is yours, and not some outsourced service that
you rely on getting it right. Your AV server is not checking SPF and your final
destination isn't either, so there will be no SPF issues after the boundary mailserver. It
also lets you use the HELO checks within SPF, and lots of other spoofing and other checks
prior to the AV service. I suggest that you re-negotiate the cost of your AV service as
they will be dealing with a vastly reduced amount of mail. ;-)
Slainte,
JohnP
-------
Sender Policy Framework: http://spf.pobox.com/
Archives at http://archives.listbox.com/spf-discuss/current/
To unsubscribe, change your address, or temporarily deactivate your subscription,
please go to http://v2.listbox.com/member/?listname=spf-discuss(_at_)v2(_dot_)listbox(_dot_)com