Author: W B Hacker Date: To: exim-users Subject: Re: [exim] Default enabling of dnsdb
Phil Pennock wrote: > On 2009-05-06 at 09:27 +0100, Mike Cardwell wrote:
>> Quite a lot of domains have an SPF record of "v=spf1 -all". I never
>> found out *why* this is the case, but it is.
>
> I have the domains: globnix.org globnix.net globnix.com
>
> The first two are in active use. The third is not used for sending mail
> and mostly is a placeholder, which makes it rather convenient for
> various tests, where I need a real registered domain.
>
> globnix.com never sends mail.
Differnt <domain>.<tld> here, but we are much on the 'same wavelength'
so far...
> .. I used to get joe-job backscatter for it.
> Between DomainKeys and the SPF "v=spf1 -all" I no longer get joe-job
> backscatter for it.
Without either, I get JJB almost never... as in the odd sngleton
response to a forgery about 2 or 3 times a year.
Now - it may be because only a few such are not themselves forgeries of
bounces of forgeries...
IOW - if I accepted traffic less cuatously, I might see more.
>
> There are many issues with SPF and how it relates to forwarding, but if
> a domain never sends mail in the first place, then there's no mail to
> forward and it's safe to publish SPF records for that domain.
>
I find it easier to not run anything on port 25, and not publish MX or
PTR for that IP. ELSE point at least MX to another server I DO run an
MTA on. But that's not a biggie either way...
> More, it's polite to publish such an SPF record for that sort of domain,
> letting others have a lightweight check to reject inbound spam.
>
> Regards,
> -Phil
>
Can't disagree with the 'polite' part, either, but ...
Here's why I asked:
- IF I were to receive incoming purporting to be from, using your
example, globnix.com AND the rDNS passed muster, I'd presume you
intended to send, and - while making other tests - not have a care as to
the presence, let alone 'nuances' of an spf record.
Simply put, it tells me nothing any more useful than what is already in
front of me.
- IF, OTOH, said arrival was a forgery, I'd not need to look at an spf
record to determine that, either.
Ergo, if I were to recompile with DNSDB (prerequisite), and insert the
code for that test ..
... it would be most unlikely to ever 'trigger'.
- A 'legit' message would live or die on the credentials of the sending
servrr, (rDNS, FQDN in HELO, correct format and MIME-type usage), AND
NOT ClamAV or SA finding malware or unwanted content/attachments.
- A forgery would not make it past acl_smtp_connect.
That said, the code *could* be 'traversed' even if not triggered.
And there is my real objection..
Are you making this sort of callout / DNSDB lookup on all - or even a
large percentage of traffic transiting?
Surely the percentage of arrivals that might have usable information
must be small?