[Raw Msg Headers][Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: SPF and senderokwithdns
On Tue, Jul 13, 2004 at 03:55:49PM +0400, Eugene Crosser wrote:
> On Tue, 2004-07-13 at 14:36 +0300, Matti Aarnio wrote:
>
> > > with your today's change, senderokwithdns check in pt_mailfrom is the
> > > very last, and it is not done if the sender is "authorized". Is it what
> > > was your intention? I think that if one wants to disallow unroutable
> > > "mail from", he wants to do that for all, authorized and non-authorized
> > > senders. And therefore the check should be done very early, maybe even
> > > before "if (state->full_trust) return 0;" around the line 1704.
> >
> > It is a wee bit complicated thing indeed..
> >
> > When the matter is about remote SPF publisher, who want to be
> > protected, then things are as you say, but when it is about
> > _local_ SPF set, then e.g. users must be able to send out
> > from where-ever they are, as long as they have authenticated..
>
> Wait, wait! I am not talking about SPF. SPF is at the right place now.
> My note was about senderokwithdns, i.e. validity of "mail from" provided
> by the client. I think that this check should be done regardless of all
> others, should it?
After a lunch, and a nap on top of it...
No, the idea with "full-trust" is that nothing will ever get checked.
You are not supposed to use 'full-trust +' attribute for anything, except
very rarest of source systems. (Like wanting admin emails in always,
no matter what..)
Normal level of "customer in our networks" is 'relaycustnet +' which sets
the always_accept flag, and that is tested for just before SPF.
However the 'sender_dns_verify()' is being called in multiple places,
including in the always_accept tests just before the SPF.
This is what you wanted, wasn't it ?
> Eugene
--
/Matti Aarnio <mea@nic.funet.fi>
-
To unsubscribe from this list: send the line "unsubscribe zmailer" in
the body of a message to majordomo@nic.funet.fi