spf-discuss
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: [spf-discuss] SPFv3 proposal: rawfail result

2011-02-05 09:14:38
from [Stuart D. Gathman] [Permanent Link] 
On Sat, 5 Feb 2011, Michael Deutschmann wrote:


(I use SHOULD because today forwarder whitelisting is done in an ad-hoc
way that could be utterly broken by a forwarder changing the IP or
hostname of its handoff mailserver without notice.


The whitelisting is robust for most alias forwarders when you whitelist the
forwarder domain, and use SPF or best guess to identify mail from the
forwarder.  When attempting the explain this before, I called it
a "pretend" MAIL FROM.  The algorithm in its simple form goes like this:

if pending reject due to SPF fail or softfail:
  for all whitelisted alias forwarder domains:
    check SPF with connect IP and forwarder domain as MAIL FROM
    if pass:
      assume mail was from alias forwarder 

The two difficulties with this are:

 1) It is not always obvious what the domain of an alias forwarder is.
 It could be the original RCPT domain in the case of a university, or
 a separate business domain in the case of a commercial alias forwarder,
 or something else entirely.  It is the domain they would use in MAIL FROM
 if they were to use SRS.  GRIPE: If forwarders aren't going to implement
 SRS, they could at least let customers know their domain...

 2) Doing additional SPF checks for more than 2 or 3 forwarder domains
 is expensive.  This can be optimized by "compiling" the list into an
 IP set ala libspf2 - but this increases the complexity of the implementation.

-- 
              Stuart D. Gathman <stuart(_at_)bmsi(_dot_)com>
    Business Management Systems Inc.  Phone: 703 591-0911 Fax: 703 591-6154
"Confutatis maledictis, flammis acribus addictis" - background song for
a Microsoft sponsored "Where do you want to go from here?" commercial.


-------------------------------------------
Sender Policy Framework: http://www.openspf.org [http://www.openspf.org]
Modify Your Subscription: http://www.listbox.com/member/ 
[http://www.listbox.com/member/]

Archives: https://www.listbox.com/member/archive/735/=now
RSS Feed: https://www.listbox.com/member/archive/rss/735/2183229-668e5d0d
Modify Your Subscription: 
https://www.listbox.com/member/?member_id=2183229&id_secret=2183229-a7234b15
Unsubscribe Now: 
https://www.listbox.com/unsubscribe/?member_id=2183229&id_secret=2183229-98aa0fe6&post_id=20110205101417:AEF18E6A-313A-11E0-B1D6-E4B4F559ED1D
Powered by Listbox: http://www.listbox.com
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: [spf-discuss] SPFv3 proposal: rawfail result, Michael Deutschmann
Next by Date:  Re: [spf-discuss] SPFv3 proposal: rawfail result, Michael Deutschmann
Previous by Thread:  Re: [spf-discuss] SPFv3 proposal: rawfail result, Michael Deutschmann
Next by Thread:  Re: [spf-discuss] SPFv3 proposal: rawfail result, Michael Deutschmann
Indexes:  [Date] [Thread] [Top] [All Lists]