On Sat, 20 May 2017, David Jones wrote:
From: David B Funk <dbf...@engineering.uiowa.edu>
[snip..]
The message from you that I'm replying to here (both the one that came directly
to me and the copy I got thru theĀ Apache list server) are -totally- devoid of
DKIM headers. (If you'd like to see it I can put it up in paste-bin.)
I figured out what was going on. Microsoft must have recently (past few
months or so) started sending our outbound mail through another IP range.
I have updated my opendkim.conf to cover all Office 365 outbound servers.
This is one of the things that I dislike/fear about being dependent on
cloud based services.
Many traditional system paradigms use the concept of trusted IP
addresses (EG: internal_networks, trusted_networks, etc) for making
operational decisions.
When using cloud based services you have no control over their IP
addresses and have to worry about when they might change with out notice,
whom else they might be servicing using those same addrs, AND when they
might abandon them only for somebody else to start using them.
It also reduces the usefulness of RBLS and can even adversely affect the
performance of things such as Bayes.
When you get major amounts of Ham from O-365 most of the tokens derived
from O-365 messages get 0.000 score. So when spammers use O-365 even
blatant spam gets a Bayes score of 00%. (and this is after putting all the
O-365 headers in bayes_ignore_header statements).
(Our institution recently moved the majority of users' mail to O-365 so
this is a battle I'm fighting now).
Bottom line, in this brave new world address based auth(n/z) decisions are
going to be increasingly problematic and an increasing reliance on things
such as digital signatures.
Dave
--
Dave Funk University of Iowa
<dbfunk (at) engineering.uiowa.edu> College of Engineering
319/335-5751 FAX: 319/384-0549 1256 Seamans Center
Sys_admin/Postmaster/cell_admin Iowa City, IA 52242-1527
#include <std_disclaimer.h>
Better is not better, 'standard' is better. B{
