Re: SPF and senderokwithdns

[Eugene Crosser <crosser@rol.ru>]

On Sun, 2004-07-11 at 15:04, Matti Aarnio wrote:

> > I found why SPF check was not always properly done here.  It was an
> > unwanted result of "senderokwithdns" logic.  In policytest.c around the
> > line 1864, sender_dns_verify() is called (three times), and if it is
> > successful, further SPF and WHOSON checks are not performed.  For now, I
> > changed "return rc;" to "if (rc) return rc;" after the three instances
> > of sender_dns_verify() call.  But maybe it would be better to move SPF
> > block upwards, before sender_dns_verify things?  What would you say?

> It is a matter of priorities.  Some things must happen before
> SPF, some may happen after..

> An authenticated user gets their source address verified for DNS
> existence, otherwise they are free to claim any address  (perhaps
> I will finally write the external policy hook for you to be able
> to verify such details as you wish)   The   WHOSON  is an alternate
> way to do that user authentication, IMO.

> IP-ACL based "always accept" will also precede SPF check, I think.

> Only the   SenderOkWithDNS   test will be after the SPF check.

Maybe the checks in pt_mailfrom() should be reordered in this way:

1. block if senderokwithdns fails
2. block if ratelimiter triggeres
3. allow if user authenticated via smtp auth, whoson
4. block if freezesource, rejectsource
5. allow if relaycustnet
6. block if SPF orders block
7. allow

Eugene

-
To unsubscribe from this list: send the line "unsubscribe zmailer" in
the body of a message to majordomo@nic.funet.fi