Re: @debian.org email forwarding and SPF

[John Belmonte <john@neggie.net>]

My original post was regarding mail to @debian.org accounts that will 
get lost because of SPF records and mail filtering outside the control 
of Debian and the developer in quesion.  I think this is an important 
issue to be aware of, and perhaps it should be resolved.

The topics you are discussing are totally unrelated to that, namely: 
debian.org publishing SPF records, and Debian's mail servers rejecting 
email with SPF filters.  If you'd like to continue discussing that, I'd 
ask that you kindly start another thread.  Everyone has strong opinions 
about SPF and SRS, and I don't want these multiple issues to be confused.

-John


Henrique de Moraes Holschuh wrote:
> On Tue, 18 May 2004, Isaac To wrote:
>
> >    >> >>The debian.org forwarding done by the LDAP distributed email system
> >    >> >>doesn't seem to implement the sender rewriting scheme
> >    >> >>(http://spf.pobox.com/srs).
> >
> >    >> >And let's hope it will continue this way, SPF is a solution looking
> >    >> for >a problem.
>
>
> Actually, no.  It is a nice one that reduces a lot forged email addresses,
> with less social and computational costs than teaching people to use real
> encryption (AND it works for system-generated mail, which in 99.999% of the
> cases is NOT encrypted by anyone, either).
>
> If it would help to reduce spam, that's another story.  I don't think it
> will.  It will help blacklists immensely, though.
>
> It has also two sides, and we really should implement the "let's refuse mail
> from SPF people that tell us that something is forged" as soon as hotmail&co
> enable SPF fully.  This means nothing to @debian.org addresses, but it does
> mean we start bouncing some false email, which is always a plus.
>
>
> >    >> If spams forge address, there should be a real anti-anti-spam
> >    >> motivation, so SPF will help in this relative small field.
> >
> >    Andreas> And SPF breaks at the same time the ease of forwarding email.
>
>
> Yes, it indeed does.  You have to either direct all email to an
> authenticated SMTP host that is on your SPF profile (should not be a problem
> for Debian, we have more than enough resources and know-how to configure
> this, and even to buy another smtp-outgoing machine if we really want to)...
>
> Or we have to add a few key bits to the LDAP gateway and DNS zones to
> publish SPF data from the developers, which is less "secure" (unless SPF
> does user@domain these days, instead of just @domain).
>
> Anyway, should there be real interest in @d.o under SPF, we could deploy it
> with little pain, as long as we have at least one auth'ed SMTP forwarder
> developers can use if they are in a really bad network position (i.e. they
> don't have one under their control).
>
> What pisses me off in SPF is the need for bounces to go the entire chain
> back, instead of directly.  But for Debian, this is a non-issue, since that
> _already happens anyway_, and since our list servers ARE or HAVE their own
> forwarding SMTPs.
>
>
> > My understanding is that SPF ignores the "From:" RFC-2822 header, and
> > considers only the "mail from" header during the SMTP (RFC-2821)
>
>
> > From what I read, yes. But you can probably tell it to be anal retentive,
> and go after the RFC8222 headers as well as the SMTP envelope, if you want.


--
http:// ift ile.org/