[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: @debian.org email forwarding and SPF

On Tue, 18 May 2004, Isaac To wrote:
>     >> >>The debian.org forwarding done by the LDAP distributed email system
>     >> >>doesn't seem to implement the sender rewriting scheme
>     >> >>(http://spf.pobox.com/srs).
>     >> >And let's hope it will continue this way, SPF is a solution looking
>     >> for >a problem.

Actually, no.  It is a nice one that reduces a lot forged email addresses,
with less social and computational costs than teaching people to use real
encryption (AND it works for system-generated mail, which in 99.999% of the
cases is NOT encrypted by anyone, either).

If it would help to reduce spam, that's another story.  I don't think it
will.  It will help blacklists immensely, though.

It has also two sides, and we really should implement the "let's refuse mail
from SPF people that tell us that something is forged" as soon as hotmail&co
enable SPF fully.  This means nothing to @debian.org addresses, but it does
mean we start bouncing some false email, which is always a plus.

>     >> If spams forge address, there should be a real anti-anti-spam
>     >> motivation, so SPF will help in this relative small field.
>     Andreas> And SPF breaks at the same time the ease of forwarding email.

Yes, it indeed does.  You have to either direct all email to an
authenticated SMTP host that is on your SPF profile (should not be a problem
for Debian, we have more than enough resources and know-how to configure
this, and even to buy another smtp-outgoing machine if we really want to)...

Or we have to add a few key bits to the LDAP gateway and DNS zones to
publish SPF data from the developers, which is less "secure" (unless SPF
does user@domain these days, instead of just @domain).

Anyway, should there be real interest in @d.o under SPF, we could deploy it
with little pain, as long as we have at least one auth'ed SMTP forwarder
developers can use if they are in a really bad network position (i.e. they
don't have one under their control).

What pisses me off in SPF is the need for bounces to go the entire chain
back, instead of directly.  But for Debian, this is a non-issue, since that
_already happens anyway_, and since our list servers ARE or HAVE their own
forwarding SMTPs.

> My understanding is that SPF ignores the "From:" RFC-2822 header, and
> considers only the "mail from" header during the SMTP (RFC-2821)

>From what I read, yes. But you can probably tell it to be anal retentive,
and go after the RFC8222 headers as well as the SMTP envelope, if you want.

  "One disk to rule them all, One disk to find them. One disk to bring
  them all and in the darkness grind them. In the Land of Redmond
  where the shadows lie." -- The Silicon Valley Tarot
  Henrique Holschuh

Reply to: