Loading ...
Sorry, an error occurred while loading the content.

Re: Relaying to SPF protected server

Expand Messages
  • Ralf Hildebrandt
    ... http://en.wikipedia.org/wiki/Sender_Rewriting_Scheme -- Ralf Hildebrandt Geschäftsbereich IT | Abteilung Netzwerk Charité - Universitätsmedizin Berlin
    Message 1 of 16 , Apr 1 4:42 AM
    • 0 Attachment
      * Ralf Hildebrandt <Ralf.Hildebrandt@...>:

      > Yes, SRS

      http://en.wikipedia.org/wiki/Sender_Rewriting_Scheme

      --
      Ralf Hildebrandt
      Geschäftsbereich IT | Abteilung Netzwerk
      Charité - Universitätsmedizin Berlin
      Campus Benjamin Franklin
      Hindenburgdamm 30 | D-12203 Berlin
      Tel. +49 30 450 570 155 | Fax: +49 30 450 570 962
      ralf.hildebrandt@... | http://www.charite.de
    • Simon Waters
      ... As Ralph says SRS will do this. However I looked at this recently for a project, where I thought I d need SRS, and after reviewing the various issues and
      Message 2 of 16 , Apr 1 5:14 AM
      • 0 Attachment
        On Thursday 01 April 2010 12:38:29 J.R.Ewing wrote:
        >
        > Is there any solution?
        > I have idea to move senders address to "reply to" field and write new
        > sender. Is it possible with postfix?

        As Ralph says SRS will do this.

        However I looked at this recently for a project, where I thought I'd need SRS,
        and after reviewing the various issues and SPF adoption figures, concluded
        I'd ignore SPF.

        In particular very few people reject outright on SPF failure (not least this
        isn't a good strategy compared to other filtering methods if all you want to
        do is reduce spam). Various systems handle SPF failed email in a more
        suspicious manner, but that isn't a practical problem in my experience.

        SRS might work better for your purpose, but SPF is broken by design and you
        should flag that to the people using it.

        We forward a lot of email, we don't do envelope rewriting, and have had a
        handful of complaints over the years, most from the same person who didn't
        seem to understand "we have no plans to change at this time".
      • Larry Stone
        ... One day is pretty short. The default is five days. Although things are a lot more reliable these days, it s still possible for an unattended destination
        Message 3 of 16 , Apr 1 5:15 AM
        • 0 Attachment
          On 3/31/10 11:03 PM, Vernon A. Fort at vfort@... wrote:


          > The maximal_queue_lifetime-30s was for testing only - its normally set
          > for 1d.

          One day is pretty short. The default is five days. Although things are a lot
          more reliable these days, it's still possible for an unattended destination
          server to be down over a weekend or be down for long periods for an upgrade,
          etc.

          --
          Larry Stone
          lstone19@...
          http://www.stonejongleux.com/
        • J.R.Ewing
          ... Thanks Simon and Ralf for replies, I was observing SRS and it lookslike there is not a simple way to implement it with postfix. Because Iam just starting
          Message 4 of 16 , Apr 1 5:27 AM
          • 0 Attachment
            Simon Waters napsal(a):
            > On Thursday 01 April 2010 12:38:29 J.R.Ewing wrote:
            >> Is there any solution?
            >> I have idea to move senders address to "reply to" field and write new
            >> sender. Is it possible with postfix?
            >
            > As Ralph says SRS will do this.
            >
            > However I looked at this recently for a project, where I thought I'd need SRS,
            > and after reviewing the various issues and SPF adoption figures, concluded
            > I'd ignore SPF.
            >
            > In particular very few people reject outright on SPF failure (not least this
            > isn't a good strategy compared to other filtering methods if all you want to
            > do is reduce spam). Various systems handle SPF failed email in a more
            > suspicious manner, but that isn't a practical problem in my experience.
            >
            > SRS might work better for your purpose, but SPF is broken by design and you
            > should flag that to the people using it.
            >
            > We forward a lot of email, we don't do envelope rewriting, and have had a
            > handful of complaints over the years, most from the same person who didn't
            > seem to understand "we have no plans to change at this time".


            Thanks Simon and Ralf for replies,

            I was observing SRS and it lookslike there is not a simple way to
            implement it with postfix.
            Because Iam just starting to relaying at my server, I will let some time
            to see, if there are some major problems with it or if it works
            unnoticed for users. Sad is, that the major freemail provider
            (seznam.cz) here in Czech Republic sadly implement and enforce SPF, the
            question is, how many domains that our users would be recieving from are
            SPF "protected" (I know only one, at domain of our company :-/).

            Thanks again

            J.R
          • Wietse Venema
            ... make that: local.unix (the connection type comes last).
            Message 5 of 16 , Apr 1 5:48 AM
            • 0 Attachment
              Wietse Venema:
              > Vernon A. Fort:
              > > The maximal_queue_lifetime-30s was for testing only - its normally set
              > > for 1d. The sole issues is to prevent mail from bouncing back if we
              > > don't get the encrypted volume mounted and cyrus started back up soon
              > > enough. A reasonable example would be if the server rebooted due to a
              > > power hiccup and we did not get the notifications quick enough.
              > >
              > > For now, i have a startup script to set the maximal_queue_lifetime to 1w
              > > using postconf -e. This seems to do the trick.
              >
              > Another option is
              >
              > postconf -e "master_service_disable = unix.local"

              make that: local.unix (the connection type comes last).

              > Or even:
              >
              > postconf -e "master_service_disable = qmgr.fifo"
              >
              > (requires Postfix 2.6 or later).
              >
              > Wietse
              >
              >
            • ram
              ... SPF if not the only reason why you would need SRS. We provide SMTP relay for various mail servers. I want to make sure that every customer uses only his
              Message 6 of 16 , Apr 2 1:54 AM
              • 0 Attachment
                On Thu, 2010-04-01 at 12:14 +0000, Simon Waters wrote:
                > On Thursday 01 April 2010 12:38:29 J.R.Ewing wrote:
                > >
                > > Is there any solution?
                > > I have idea to move senders address to "reply to" field and write new
                > > sender. Is it possible with postfix?
                >
                > As Ralph says SRS will do this.
                >
                > However I looked at this recently for a project, where I thought I'd need SRS,
                > and after reviewing the various issues and SPF adoption figures, concluded
                > I'd ignore SPF.
                >
                > In particular very few people reject outright on SPF failure (not least this
                > isn't a good strategy compared to other filtering methods if all you want to
                > do is reduce spam). Various systems handle SPF failed email in a more
                > suspicious manner, but that isn't a practical problem in my experience.
                >
                > SRS might work better for your purpose, but SPF is broken by design and you
                > should flag that to the people using it.
                >
                > We forward a lot of email, we don't do envelope rewriting, and have had a
                > handful of complaints over the years, most from the same person who didn't
                > seem to understand "we have no plans to change at this time".

                SPF if not the only reason why you would need SRS.
                We provide SMTP relay for various mail servers.
                I want to make sure that every customer uses only his domain(s) and
                sends the mail. Important to implement proper usage reporting as well as
                stop abuse of network



                Thanks
                Ram





                PS: SPF is used by gmail,hotmail, aol and 40% of the fortune 500
                companies in the world among a huge lot of others. I dont think it
                makes any sense to flag anything like "SPF is broken" to so many people.
                Anyway discussing rising SPF adoption and the unreasonable arguments
                against SPF is OT on the postfix mailing list.
              • Wietse Venema
                ... Postfix supports DKIM, DomainKeys, SPF, SRS, SenderID, etc., etc., via Milter plugins or SMTP-based content filters. Wietse
                Message 7 of 16 , Apr 2 5:12 AM
                • 0 Attachment
                  ram:
                  >
                  > On Thu, 2010-04-01 at 12:14 +0000, Simon Waters wrote:
                  > > On Thursday 01 April 2010 12:38:29 J.R.Ewing wrote:
                  > > >
                  > > > Is there any solution?
                  > > > I have idea to move senders address to "reply to" field and write new
                  > > > sender. Is it possible with postfix?

                  Postfix supports DKIM, DomainKeys, SPF, SRS, SenderID, etc., etc.,
                  via Milter plugins or SMTP-based content filters.

                  Wietse
                • Jose Ildefonso Camargo Tolosa
                  Hi! This is getting interesting..... How, exactly, does mailman (or other mailing list manager) handles this? I mean, I have seen several SPF-enabled domains,
                  Message 8 of 16 , Apr 3 8:09 AM
                  • 0 Attachment
                    Hi!

                    This is getting interesting..... How, exactly, does mailman (or other
                    mailing list manager) handles this? I mean, I have seen several
                    SPF-enabled domains, and these domains have subscriptions to one or
                    more lists... now, reading the headers for one of the messages of this
                    lists, I got this:

                    Sender: owner-postfix-users@...

                    So... my guess is that the SPF check will go against this mail
                    address, not the one on the From field..... am I right?

                    What do you think?

                    lldefonso Camargo
                  • Sahil Tandon
                    ... SPF is against the ENVELOPE, not the HEADER. -- Sahil Tandon
                    Message 9 of 16 , Apr 3 9:38 AM
                    • 0 Attachment
                      On Sat, 03 Apr 2010, Jose Ildefonso Camargo Tolosa wrote:

                      > So... my guess is that the SPF check will go against this mail
                      > address, not the one on the From field..... am I right?

                      SPF is against the ENVELOPE, not the HEADER.

                      --
                      Sahil Tandon <sahil@...>
                    • Wietse Venema
                      ... SPF uses the address in MAIL FROM command. This is sent before the RCPT TO command and before the message header/body. Wietse
                      Message 10 of 16 , Apr 3 12:21 PM
                      • 0 Attachment
                        Jose Ildefonso Camargo Tolosa:
                        > Hi!
                        >
                        > This is getting interesting..... How, exactly, does mailman (or other
                        > mailing list manager) handles this? I mean, I have seen several
                        > SPF-enabled domains, and these domains have subscriptions to one or
                        > more lists... now, reading the headers for one of the messages of this
                        > lists, I got this:
                        >
                        > Sender: owner-postfix-users@...
                        >
                        > So... my guess is that the SPF check will go against this mail
                        > address, not the one on the From field..... am I right?
                        >
                        > What do you think?

                        SPF uses the address in MAIL FROM command. This is sent before
                        the RCPT TO command and before the message header/body.

                        Wietse
                      Your message has been successfully submitted and would be delivered to recipients shortly.