2008/12/23 Stephen Gran <steve@???>:
> On Tue, Dec 23, 2008 at 09:38:22AM +0000, Peter Bowyer said:
>> 2008/12/22 Matthew Newton <mcn4@???>:
>> > On Mon, Dec 22, 2008 at 07:44:49AM -0800, Dan_Mitton@??? wrote:
>> >> You might want to look into implementing SPF. It would catch any mail
>> >> forged from your domain. www.openspf.org
>> >
>> > Probably more reliable to configure BATV, which will refuse all
>> > bounces if they are not arriving at a 'signed' address. Immediate
>> > fix for the joe-job problem.
>>
>> ... with the caveat that all outgoing mail must be signed, implying
>> that it (probably) all needs to flow out through the same MTA.
>> Otherwise you risk rejecting bounces to mail that was sent genuinely
>> but not BATV-signed (which may or may not be important depending on
>> the implementation).
>
> BATV is a standard, so if you have two MTAs implementing it correctly,
> it shouldn't matter which one the mail left from. This is, of course,
> only in theory - I am quite sure someone will manage to come up with a
> case where this breaks :)
Sure - but the problem case is when mail is orignated outside of the
domain of control - like this message, for example, from Gmail. Who
don't sign return paths with BATV.
Peter
--
Peter Bowyer
Email: peter@???
Follow me on Twitter: twitter.com/peeebeee