On Sat, 12 Sep 2009, Henrik K wrote:
On Sat, Sep 12, 2009 at 09:02:35AM -0700, John Hardin wrote:
On Fri, 11 Sep 2009, MySQL Student wrote:
are you recieving forwarded emails from spf domains ?
If I understand correctly, no. I have no relationship with any external
source and their SPF records.
if so add the forward ip to trusted_networks (so spf will be disabled
from this hosts)
Do you mean to avoid the processing overhead? IOW, don't bother
checking SPF records for trusted domains?
One of the problems with SPF is that someone who sets up forwarding (e.g.
you have a gmail account, and you set it to automatically forward
messages to your "real" account) breaks SPF checks for messages received
via the forward. If I send a mail to your gmail account, and google
forwards it to your real account, your MTA will see a message from an
@impsec.org address originating from an MTA that my SPF record says is
not a valid source. SPF fail.
Bad example, gmail rewrites forwards properly coming from y...@gmail.com.
Oops. But you get the idea.
If you tell SA that google is trusted, that pushes the SPF test point
back one step - where did *google* receive the message from?
mail.impsec.org? Okay, then - SPF pass.
PS. SPF is checked on internal, not trusted border. Even though they are
the same for most people.. and I don't think you can disable SPF checks
in any way except fully.
Hrm. Changing that might be something to consider, then.
--
John Hardin KA7OHZ http://www.impsec.org/~jhardin/
jhar...@impsec.org FALaholic #11174 pgpk -a jhar...@impsec.org
key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79
-----------------------------------------------------------------------
So Microsoft's invented the ASCII equivalent to ugly ink spots that
appear on your letter when your pen is malfunctioning.
-- Greg Andrews, about Microsoft's way to encode apostrophes
-----------------------------------------------------------------------
5 days until the 222nd anniversary of the signing of the U.S. Constitution
