Re: [exim] support for domainkeys

Góra strony
Delete this message
Reply to this message
Autor: David
Data:  
Dla: David Woodhouse
CC: Tony Finch, exim-users
Temat: Re: [exim] support for domainkeys
Hi !!

>>no, but it has problems. BTW, looks like it's only targeted at
>>detecting bounces generated by faked messages altough the whole
>>draft looks a bit confusing to me, i would be pleased if you can
>>outline how it works in a more plain way.
>
> Does this help? ...
>
> http://archives.listbox.com/spf-discuss@v2.listbox.com/200402/0900.html


yes, so BATV, SES and SRS are almost the same. They will help you
reject faked bounces before data. That's fine. But this will cause
serious problems with some mailing lists and, as they need to take
care of the message age and at the same time be greylisting friendly,
lets your BATV encoded address be faked during some time. It's something
that could help but nothing that makes spf useless. We have also being
playing with some crude attempts to detect faked bounces analyzing
the message body and realized that:

a) most faked 'bounces' are not real bounces (null envelope sender)
    but virus/spam warnings with non null envelope senders.


b) most email servers, including all major isps, reject at smtp time
    so the unique scenario where we receive real bounces is in the
    case of email forwarding or from poorly configured email servers
    that do not reject at smtp time.


c) some other broken mta's/firewalls send bounces using postmaster,
    mailer-daemon, nobody and all sort of non-null envelope senders


so BATV solves a very little portion of the problem generated by
email forgery, it will be usable if all mailing list software where
batv compliant (this is its main drawback).

regarding the fact that batv helps fight email forgery because
callout for forged addresses will fail, take in account that
callouts are expensive, both for you and the calling party and
that for this to be effective everybody should use callout
verifications. SPS is better in this aspect because dns queries are
faster and consume less resources than callouts.

nevertheless srs/ses/batv solutions are need by spf to solve the
forwarding problem, altough i lately start thinking that i don't
like the idea of anybody but me using my addresses as the envelope
sender (as this implies that the sending mta is asking the remote mta
that bounces should be directed to me). Maybe bounces MUST only be
sent to a existant user on the sending mta, not elsewhere without
the prior permission of the real owner of the email address.

--
Best regards ...

----------------------------------------------------------------
    David Saez Padros                http://www.ols.es
    On-Line Services 2000 S.L.       e-mail  david@???
    Pintor Vayreda 1                 telf    +34 902 50 29 75
    08184 Palau-Solita i Plegamans   movil   +34 670 35 27 53
----------------------------------------------------------------