[Raw Msg Headers][Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: SPF and senderokwithdns

On Tue, 2004-07-13 at 14:36 +0300, Matti Aarnio wrote:

> > with your today's change, senderokwithdns check in pt_mailfrom is the
> > very last, and it is not done if the sender is "authorized".  Is it what
> > was your intention?  I think that if one wants to disallow unroutable
> > "mail from", he wants to do that for all, authorized and non-authorized
> > senders.  And therefore the check should be done very early, maybe even
> > before "if (state->full_trust) return 0;" around the line 1704.
> It is a wee bit complicated thing indeed..
> When the matter is about remote SPF publisher, who want to be
> protected, then things are as you say,  but when it is about
> _local_ SPF set, then e.g. users must be able to send out
> from where-ever they are, as long as they have authenticated..

Wait, wait!  I am not talking about SPF.  SPF is at the right place now.
My note was about senderokwithdns, i.e. validity of "mail from" provided
by the client.  I think that this check should be done regardless of all
others, should it?


This is a digitally signed message part