Stuart D. Gathman wrote on Wednesday, March 14, 2007 9:18 AM -0600:
Just to reiterate, the "pretend" MAIL FROM is *not* a HELO FQDN. It
is the actual forwarder domain, the original "rcpt to".
Agreed, though you don't know the original RCPT TO, you guess what you
suppose it was for a forward. Your description sounds like prior to
testing SPF on MAIL FROM, it runs checkhost() on the connect IP against
a list of your users' non-SRS forwarders for whom you maintain local SPF
records. A pass is treated like a MAIL FROM pass for the forwarding
domain. This either provides direct indication of a forwarder you want
to whitelist, or is simply a way to accumulate and apply reputation data
for non-SRS forwarders. The end result is the same: you accept the
message as whitelisted (or deny as blacklisted, if you permit this) and
forgo testing the real MAIL FROM address.
The alternative I suggested was to test for a locally maintained domain
list at the end of the HELO test, *iff* there is no HELO pass. This is
only a slight variation to your method. Since it tests the real HELO
name first, it automatically degrades into normal SPF when the forwarder
publishes SPF records for their HELO names. Since you whitelist based
partly on locally maintained SPF records for specific domains, I think
you accomplish the same thing by doing this as part of the HELO test,
and that gives you a result earlier in the SMTP conversation. Frankly,
testing against any guessed identity that the sender didn't provide,
whether MAIL FROM or HELO, is equivalent to adding the IP's directly to
a local whitelist. Local SPF records are more maintainable than an IP
list, though, and easily transitions to using the forwarders' own SPF
records when they eventually publish them (thinking positively).
--
Seth Goodman
-------
Sender Policy Framework: http://www.openspf.org/
Archives at http://archives.listbox.com/spf-discuss/current/
To unsubscribe, change your address, or temporarily deactivate your
subscription,
please go to http://v2.listbox.com/member/?list_id=735