[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: @debian.org email forwarding and SPF

This one time, at band camp, John Belmonte said:
> Stephen Gran wrote:
> >And so, if it's forwarded to you via your @d.o email, it will make it
> >through - it's coming from an at d.o address, and an @d.o machine.  Only
> >if the debian machines start doing SPF checking for @d.o addresses (in
> >which case nobody would be able to send mail with an envelope from an
> >@d.o address unless logged in to one of the machines), it won't help, as
> >I understand it.
> 
> I think you may be misunderstanding a few points.  One is that there is 
> no such thing as a mail server doing SPF checking on a certain domain-- 
> it is all domains publishing SPF or nothing.  More importantly, if the 
> original sender's domain publishes SPF, and the developer's ISP does SPF 
> filtering, and Debian's forwarding does not employ SRS, then the 
> forwarded email you describe will *not* make it through, even if 
> debian.org is publishing SPF records.  The reason is that when the 
> message hits the ISP, the envelope from won't match the machine relaying 
> the mail (*.debian.org).
> 
> -John

I was under the impression that the problem described was receiving
viruses with an envelope from honey@d.o.  I am under the impression that
if you are doing SPF checks, and you receive one of these emails from a
debian machine (because you have your debian email forwarded to you),
that it will go through just fine - envelope from matches machine
sending.  Is that incorrect?

The problem (from the point of view of SPF) is the forged envelope from.
However if the d.o. machines start doing SPF checks, then none of us can
easily send email with an @d.o. address, unless we implement
authenticated SMTP or other things, and start routing our mail based on
the From: header or envelope from.  

-- 
 -----------------------------------------------------------------
|   ,''`.					     Stephen Gran |
|  : :' :					 sgran@debian.org |
|  `. `'			Debian user, admin, and developer |
|    `-					    http://www.debian.org |
 -----------------------------------------------------------------

Attachment: pgphMACT2a8Uc.pgp
Description: PGP signature

Reply to: