Stuart D. Gathman wrote:
The simplest way to whitelist a forwarder is the way pymilter does it:
provide the domain of the forwarder - what the forwarder would
use if they were enlightened enough to use SRS. If the mail would have
passed SPF (or a guessed SPF policy such as "v=spf1 a mx ptr") had
the forwarder actually used SRS, then the email is from the whitelisted
forwarder.
If that "guessed SPF" works correctly, perhaps the next version of SPF
should mention such default value and make it official.
The email admin at bigcorp.com adds biguni.edu to the list of forwarders
trusted by bigcorp.com. The mail system at bigcorp.com accepts email from IPs
that would get an SPF Pass or best-guess-pass with a mail from of
postmaster(_at_)biguni(_dot_)edu, without bothering to check SPF against the
real MAIL
FROM (or checks only if real mailfrom fails to get a pass or precompiles
forwarder domain list to an IP set or ...).
A hack is a hack. For one, there is no administrative relationship
between mailout.biguni.edu and biguni.edu itself (rfc5507).
-------------------------------------------
Sender Policy Framework: http://www.openspf.org
Modify Your Subscription: http://www.listbox.com/member/
Archives: https://www.listbox.com/member/archive/735/=now
RSS Feed: https://www.listbox.com/member/archive/rss/735/
Powered by Listbox: http://www.listbox.com