Autor: David Woodhouse Data: Dla: Ian Eiloart CC: David Saez Padros, exim-users, Doug Jolley Temat: Re: [exim] Compile time problems
On Mon, 2006-04-03 at 11:58 +0100, Ian Eiloart wrote: > But, it is potentially useful for whitelisting. If there are domains that
> you trust, then SPF can be used to determine whether the email is coming
> from their approved IP addresses.
Yeah, that's a sane enough theory, and I did refer briefly to the fact
that it can be used for whitelisting.
> If they are, then you may be able to
> accept the email without spam filtering. For example, I'd be happy to
> accept mail without spam filtering from educational domains (*.ac.uk,
> *.edu) when I'm sure that the email is coming from an institutional server.
Yeah, that makes a lot of sense. I also accept mail from _servers_ which
I know are competently run, and they get excepted from certain
heavyweight checks on what they send me.
But there are at least three flaws which would prevent me from using
_SPF_ for such a task:
1. SPF doesn't cover the case of mail which just happens to be
_forwarded_ through another trusted server, rather than originating
there. Host-based checks do cover that.
2. SPF doesn't necessarily include _only_ the departmental servers in
its 'PASS' results -- it could well include the students' subnets too,
and I doubt you want to whitelist those. Because SPF is _intended_ for
rejection, people have to be permissive in their records.
3. A domain which publishes SPF records isn't really likely to be
considered 'competent' in my part of the world anyway :)
(and the fourth is just that I wouldn't want to encourage the adoption
of SPF, because too many people use it for the _wrong_ purpose -- i.e.
the purpose for which it was designed.)
But yes, I suppose it can sort of do the job, if you don't think about
it _too_ hard. I personally would be _far_ more inclined to use CSV for
that purpose, though.
> SPF may not be ideal for it's intended purpose, but that doesn't mean that
> it has no useful applications. Where your article says "If you use SPF, you
> will be causing genuine email to be rejected." instead you should say "If
> you use SPF _to_reject_email_, you will be causing genuine email to be
> rejected."