[Raw Msg Headers][Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: SPF and senderokwithdns

On Tue, 2004-07-13 at 18:19 +0300, Matti Aarnio wrote:

> > > > with your today's change, senderokwithdns check in pt_mailfrom is the
> > > > very last, and it is not done if the sender is "authorized".  Is it what
> > > > was your intention?  I think that if one wants to disallow unroutable
> > > > "mail from", he wants to do that for all, authorized and non-authorized
> > > > senders.  And therefore the check should be done very early, maybe even
> > > > before "if (state->full_trust) return 0;" around the line 1704.
> > > 
> > > It is a wee bit complicated thing indeed..
> > > 
> > > When the matter is about remote SPF publisher, who want to be
> > > protected, then things are as you say,  but when it is about
> > > _local_ SPF set, then e.g. users must be able to send out
> > > from where-ever they are, as long as they have authenticated..
> > 
> > Wait, wait!  I am not talking about SPF.  SPF is at the right place now.
> > My note was about senderokwithdns, i.e. validity of "mail from" provided
> > by the client.  I think that this check should be done regardless of all
> > others, should it?
> After a lunch, and a nap on top of it...
> No, the idea with "full-trust" is that nothing will ever get checked.
> You are not supposed to use 'full-trust +' attribute for anything, except
> very rarest of source systems.  (Like wanting admin emails in always,
> no matter what..)


> Normal level of "customer in our networks" is 'relaycustnet +'  which sets
> the  always_accept flag, and that is tested for just before SPF.
> However the 'sender_dns_verify()' is being called in multiple places,
> including in the  always_accept  tests just before the SPF.
> This is what you wanted, wasn't it ?

I wanted to check sender_dns_verify() even for authenticated users, and
for users coming from trusted networks.  Because the earlier a customer
is hinted about mistyped "From" address the better.

But actually I don't care too much, just thought that it would be the
right thing...


This is a digitally signed message part