spf-discuss
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: [spf-discuss] Bounce-Spam and SPF-Ignorant ISPs - it is time to retaliate?

2005-11-30 06:50:07
from [David Woodhouse] [Permanent Link] 
On Tue, 2005-11-29 at 12:16 +0000, paddy wrote:

I installed qpsmtpd the other day with the intention of looking at it
from angles like thisi (when I get a round tuit), and I'm keen to learn 
how other MTAs support or can be coaxed into the kind of semi-proxy 
behaviour?


http://www.exim.org/exim-html-4.50/doc/html/spec_39.html#IX2587

Example at http://david.woodhou.se/eximconf/acl-recipient ...

  # Deny unknown recipient at the domains for which we want to do callouts, so 
we 
  # didn't already check them. For real senders we use defer_ok; for bounces we
  # don't. We can do callouts even for mailman domains now because we use the
  # 'use_sender' option.
  deny     domains      = +relay_domains : +dns_virtual_domains
           !senders     = :
           !recipients  = @@lsearch;CLUSTER/verify-except-recipients
           !verify      = 
recipient/defer_ok/callout=20s,random,defer_ok,use_sender

  deny     domains      = +relay_domains : +dns_virtual_domains
           senders      = :
           !recipients  = @@lsearch;CLUSTER/verify-except-recipients
           !verify      = recipient/callout=20s,random,use_sender

For mail destined to domains for which we're backup MX (relay_domains),
or to the virtual domains (which are mostly forwarded elsewhere), this
does an SMTP callout to verify the recipient.

I choose to handle this differently for bounces and non-bounces. For
non-bounces, I accept the mail even if the primary MX is unreachable
(that's the defer_ok option). For bounces, I don't. 

The use_sender option means that we do the callout using the same sender
as in the original message; otherwise it would use MAIL FROM:<>, which
would sometimes give a false negative. Mailing lists in particular tend
to refuse MAIL FROM:<>, as do addresses protected by SES/BATV.

The random option is just an optimisation -- if the recipient accepts
_any_ localpart, we just cache that information and don't bother to do
callouts again for that domain.

-- 
dwmw2


-------
Sender Policy Framework: http://www.openspf.org/
Archives at http://archives.listbox.com/spf-discuss/current/
To unsubscribe, change your address, or temporarily deactivate your 
subscription, 
please go to 
http://v2.listbox.com/member/?listname=spf-discuss(_at_)v2(_dot_)listbox(_dot_)com
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: Re[2]: [spf-discuss] Bounce-Spam and SPF-Ignorant ISPs - it is time to retaliate?, David Woodhouse
Next by Date:  Re: [spf-discuss] Bounce-Spam and SPF-Ignorant ISPs - it is time to retaliate?, Julian Mehnle
Previous by Thread:  [spf-discuss] Re: Bounce-Spam and SPF-Ignorant ISPs - it is time to retaliate?, Frank Ellermann
Next by Thread:  Re: [spf-discuss] Bounce-Spam and SPF-Ignorant ISPs - it is time to retaliate?, Julian Mehnle
Indexes:  [Date] [Thread] [Top] [All Lists]