Re: SPF and mail forwarding (was Re: [nznog] Sendmail Question)
In message <20041128083138.GB27487(a)walnut.gen.nz>, Richard Hector writes:
On Sat, Nov 27, 2004 at 12:20:03PM +1300, Ewen McNeill wrote:
usera(a)ispa was one address so subscribed. Unfortunately usera(a)ispa actually forwards mail to userb(a)ispb, without rewriting the envelope from address -- [bounces because SPF check failed at ispb MX]
Perhaps I'm a little confused, but if usera is rejecting mail from servers that he has arranged to forward him mail, that's his own silly fault?
usera doesn't run the mail servers at ispb (or ispa for that matter). It is ispb's mail servers that are doing the SPF check, and rejecting the message, because it's been forwarded in a way that is not compliant with SPF. Other than complaining to ispb -- and they probably wouldn't even know to do so -- usera/userb can do little to influence the message being accepted or rejected at ispb. Viz: 1. spfprotecteddomain MX -> ispa MX: mail from: user(a)spfprotecteddomain rcpt to: usera(a)ispa Result: message accepted (passes SPF check if one is done) 2. ispa configuration for usera says "forward to userb(a)ispb" 3. ispa MX -> ispb MX: mail from: user(a)spfprotecteddomain rcpt to: userb(a)ispb Result: SPF check fails because ispa MX is not in the SPF from list, and message is rejected (and bounced by ispa MX back to user(a)spfprotecteddomain). SPF's answer to this is that mail servers should rewrite the from address -- complete with lots of magic about how it should be done (still being debated). Rewriting it to be "mail from: usera(a)isap" would work just about as well in practice in most situations (bounces go to the "wrong" place, but bounces are largely broken by all the abuse of them going on anyway). This is what procmail and some other things do. FWIW, this is not a theoritical situation. This is really happening right now. And I ended up relaxing some of my SPF statements as a "work around". As I said in the beginning I'd like to see more ISPs that offer "mail forwarding" services to their customers forward that mail in a way that won't cause SPF rejections further down the track. Like it or not SPF is being implemented, and trying to ignore it will not stop your customers mail being bounced. Ewen
Users of the Mozilla Thunderbird mail client might like to look at the Thunderbird Extension for Sender Policy Framework (SPF) http://taubz.for.net/code/spf/index.xpd As well as an extension for the mail client that provides a notification on each message about it's SPF status there's a simple query server that you can run to do the checks. Interestingly it reports that some mail from this list is forged!
Doing the SPF Checking on the MUA (not on the MTA) is not a very good way of doing it. This has been discussed a bit on the SPF mailing list recently. (check it out if you want the reason why). Thanks Craig
-----Original Message----- From: Andy Linton [mailto:asjl(a)citylink.co.nz] Sent: Thursday, December 02, 2004 11:50 AM To: nznog(a)list.waikato.ac.nz Subject: [nznog] Re: SPF and mail forwarding
Users of the Mozilla Thunderbird mail client might like to look at the Thunderbird Extension for Sender Policy Framework (SPF) http://taubz.for.net/code/spf/index.xpd
participants (3)
-
Andy Linton -
Craig Whitmore -
Ewen McNeill