spf-discuss
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: [spf-discuss] Re: Election issue: forwarding problem

2007-02-06 03:34:02
from [Peter Bowyer] [Permanent Link] 
On 05/02/07, Stuart D. Gathman <stuart(_at_)bmsi(_dot_)com> wrote:

On Sat, 3 Feb 2007, Michael Deutschmann wrote:

> > I suppose one could do SRS if the message is SPF PASS, reject it if it's SPF
> > FAIL and do traditional forwarding if it's and other SPF result.  This would
> > avoid the making it worse part and actually reduce backscatter to some
> > degree.
>
> Not necessarily.  Just because the result was NEUTRAL or SOFTFAIL when
> the forwarder checks incoming mail, does not mean the result can't be FAIL
> when the ultimate recipient checks the same message against the forwarder's
> outgoing mail IP.
>
> So in some cases you need SRS to get through, but still can't safely
> bounce.

three things:

1) The recipient MUST NOT check spf for non-SRS forwarders.  If they
don't know who their forwarders are, then they MUST NOT check SPF at all.  Of
course, they probably will anyway, so ...


But the recipient (as an administrative entity) often isn't aware of
the status of a forwarder. There's a non-trivial and pretty flaky
people process involved if the administrator is to know about every
friendly forwarder that one of their users might have signed up with.

In the absense of this, there's no way to differentiate a forwarder
from a forger.

So I don't believe your 'MUST NOT's above are achievable in the wild.


2) The forwarder MAY rerun check_spf with his own IP.  If the result
is FAIL, then use SRS, or drop the mail (possibly with a DSN to the
alleged sender summarizing the situation.  The DSN can be easily filtered by
savvy senders using MAIL FROM signing, e.g. SRS.)


This seems pretty sensible - I'm certianly going to look at
implementing on a forwarder I run.



3) The forwarder MAY just try the next hop, and if rejected, try again
with SRS.


What's the benefit of this over just-use-SRS?

Peter

--
Peter Bowyer
Email: peter(_at_)bowyer(_dot_)org

-------
Sender Policy Framework: http://www.openspf.org/
Archives at http://archives.listbox.com/spf-discuss/current/
To unsubscribe, change your address, or temporarily deactivate your subscription, please go to http://v2.listbox.com/member/?list_id=735
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: [spf-discuss] Re: RFC 4408 Bug - Makes no sense to require Mail From check if HELO check FAILs, Chris Haynes
Next by Date:  Re: [spf-discuss] Re: RFC 4408 Bug - Makes no sense to require Mail From check if HELO check FAILs, Scott Kitterman
Previous by Thread:  Re: [spf-discuss] Re: Election issue: forwarding problem, Stuart D. Gathman
Next by Thread:  Re: [spf-discuss] Re: Election issue: forwarding problem, Stuart D. Gathman
Indexes:  [Date] [Thread] [Top] [All Lists]