[Partly for the benefit of the list archives]
David Woodhouse <dwmw2@???> writes:
> On Tue, 2005-05-24 at 10:57 +0100, Chris Webb wrote:
> >
> > As you say, the former ought to be relatively straightforward to test,
> > although I'd like to be able to be more specific than just testing for an
> > SPF-affected domain. There may be SPF domains that allow a (perhaps very
> > wide) subset of hosts including our machines (especially people we've
> > complained to in the past, who've just added our mail servers to their SPF
> > host list!), and we don't want to rewrite for that case if we can help it.
>
> True.
Using the new spf lookup type implemented by my patch (hopefully going into
CVS Exim in time for 4.52), I can easily create a mangling router that only
does the SRS rewrite if an SPF check on our forwarded mail would otherwise
fail or softfail:
srs_mangle:
driver = redirect
domains = ! @mx_primary
srs = forward
srs_condition = ${if match {${lookup {$return_path} spf{SRS_MYADDR}}} {fail}}
srs_alias = SRS_DOMAIN
data = $local_part@$domain
Changing the 'domains =' line to lsearch;/etc/exim/spf-enforcers or similar
gives a policy that also only SRS rewrites mail to the (manually maintained)
list of domains who actually enforce SPF verification.
> You also need to run the check against your own outgoing IP address,
> which you won't necessarily have until you get to the transport.
This is true in principle, but in our case, we know that our mail is sent
using connections with one particular source IP number, so the check is
easy. Cop out on my part! ;-)
> And if every hop were to rewrite unconditionally the reverse-path would
> very quickly get silly.
Very true!
> By implementing SRS unconditionally, you're only pandering to the
> stupidity and helping to make the problem worse. Please don't do that --
> if you have to make an exception for a limited number of sites who
> refuse to correct their behaviour, that's sane enough, but don't do it
> unconditionally.
Agreed. We're now going to SRS rewrite only for mail destined to listed
broken sites, and then only if an SPF failure would otherwise result.
Cheers,
Chris.