Re: SPF and senderokwithdns

[Matti Aarnio <mea@nic.funet.fi>]

On Sun, Jul 11, 2004 at 03:37:19AM +0400, Eugene Crosser wrote:
> Matti,
> 
> I found why SPF check was not always properly done here.  It was an
> unwanted result of "senderokwithdns" logic.  In policytest.c around the
> line 1864, sender_dns_verify() is called (three times), and if it is
> successful, further SPF and WHOSON checks are not performed.  For now, I
> changed "return rc;" to "if (rc) return rc;" after the three instances
> of sender_dns_verify() call.  But maybe it would be better to move SPF
> block upwards, before sender_dns_verify things?  What would you say?

It is a matter of priorities.  Some things must happen before
SPF, some may happen after..

An authenticated user gets their source address verified for DNS
existence, otherwise they are free to claim any address  (perhaps
I will finally write the external policy hook for you to be able
to verify such details as you wish)   The   WHOSON  is an alternate
way to do that user authentication, IMO.

IP-ACL based "always accept" will also precede SPF check, I think.

Only the   SenderOkWithDNS   test will be after the SPF check.

> Eugene
-- 
/Matti Aarnio	<mea@nic.funet.fi>
-
To unsubscribe from this list: send the line "unsubscribe zmailer" in
the body of a message to majordomo@nic.funet.fi