Login | Register For Free | Help
Search for: (Advanced)

Mailing List Archive: SPF: SRS

private relay ... could i use srs to avoid spf fail?

 

 

First page Previous page 1 2 Next page Last page  View All SPF srs RSS feed   Index | Next | Previous | View Threaded


stpeters at netheaven

Dec 1, 2006, 1:20 PM

Post #26 of 29 (6402 views)
Permalink
Re: private relay ... could i use srs to avoid spf fail? [In reply to]

wayne writes:

> In <17776.15222.910009.720786 [at] saint> "Dick St.Peters" <stpeters [at] netheaven> writes:
>
> > If you use SRS to reject bogus DSNs, you will also reject return
> > receipts from Outlook (and probably Outlook Express) users.
>
> Are you saying that Outlook doesn't send DSNs to the 2821.MAILFROM, as
> RFC3834 says to? If so, what does it send it to instead?

Return receipts and DSNs aren't the same thing.

I presume Outlook sends its return receipts to the 2822.FROM, but for
all I know it could even send them to an address from the Outlook
user's Address Book.

Most of my users using Outlook are using versions dating to well
before RFC3834 was published. Outlook's return receipts aren't quite
automatic responses anyway, as Outlook lets the user add a message to
the return receipt. I think it gives the user the option of not
sending the receipt also.

> > Rejecting non-SRS DSNs also rejects responses from some
> > autoresponders. While many people might think of this as a Good
> > Thing, I have users who consider out-of-office notifications
> > valuable.
>
> Again, it sounds like those systems are broken by not sending to the
> 2821.MAILFROM.
>
>
> > Rejecting non-SRS DSNs naively also rejects postmaster-verification
> > callbacks, causing some sites to reject your mail.
>
> Again, those systems sound broken. If a call-back verification is
> checking the 2821.MAILFROM, it should give use a NULL MAIL FROM on the
> check (and a RCPT TO do the original 2821.MAILFROM). If the call-back
> verification is using something like the 2822.From: header, it should
> use something like <postmaster [at] domain-using-cbv> as the
> 2821.MAILFROM.

As an email administrator a lot of what I do is compensate for the
behaviors of other mail systems (and of MUAs like Outlook) in order to
get my users' mail through. I can't change what other people do, so I
deal with it.

--
Dick St.Peters, stpeters [at] NetHeaven
Gatekeeper, NetHeaven, Saratoga Springs, NY

-------
To unsubscribe, change your address, or temporarily deactivate your subscription,
please go to http://v2.listbox.com/member/?list_id=1129


julian at mehnle

Dec 1, 2006, 3:32 PM

Post #27 of 29 (6382 views)
Permalink
Re: private relay ... could i use srs to avoid spffail? [In reply to]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Michael Weiner wrote:
> On 12/1/06 10:08 AM, "wayne" <wayne [at] schlitt> wrote:
> > This is actually one place that SPF can help, even if you prefer other
> > systems. By putting a "tracking exists" in an SPF record and
> > monitoring your name server logs, you can often tell who is not
> > relaying email through your authorized MTAs. Just use something like:
> >
> > domain.tld TXT "v=spf1
> > exists:_h.%{h}._l.%{l}._o.%{o}._i.%{i}._spf.%{d} ?all"
>
> I do not follow this 'tracking exists' record...could you explain in a
> little more detail please?!?

The point of such a "tracking exists" mechanism is to receive DNS 'A'
queries for artificial domain names containing information about the SMTP
sender of e-mail messages using your domain. You can then use the
received DNS queries to compile statistics on who sends mail using your
domain.

Of course you need to send empty DNS responses to all queries or the
"exists:" mechanism would match and thus authorize the sending.

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.5 (GNU/Linux)

iD8DBQFFcLtywL7PKlBZWjsRAssUAKCsaSwHul7UbyqJT9ZjBfgaRARxfQCg+DmW
VH9lLli5O0N1u5trvMCNbsY=
=ha1p
-----END PGP SIGNATURE-----

-------
To unsubscribe, change your address, or temporarily deactivate your subscription,
please go to http://v2.listbox.com/member/?list_id=1129


sethg at goodmanassociates

Dec 1, 2006, 6:24 PM

Post #28 of 29 (6375 views)
Permalink
RE: private relay ... could i use srs to avoid spffail? [In reply to]

Stuart D. Gathman wrote on Friday, December 01, 2006 8:57 AM -0600:

> On Fri, 1 Dec 2006, wayne wrote:
>
> > Some people have also suggested that by using SRS on all outgoing
> > email lets you reject bogus bounces, but in order to do that you
> > have to make sure that *ALL* legitimate email sent using your
> > domain name gets processed by SRS. Roaming users and people
> > working form home and such have to be tought to always use
> > RFC2476's SMTP submission port (587).
>
> Making roaming users always relay through home is essential for a
> decent SPF policy also. Note that Outlook must use smtps (465)
> instead. Another solution is an SSH tunnel (e.g. Putty for Windows)
> or a VPN.

I use Outhouse and send mail through some MTA's on port 587, some on
port 465. What is the problem you see when your users try port 587?

--
Seth Goodman

-------
To unsubscribe, change your address, or temporarily deactivate your subscription,
please go to http://v2.listbox.com/member/?list_id=1129


stuart at bmsi

Dec 2, 2006, 8:24 AM

Post #29 of 29 (6393 views)
Permalink
RE: private relay ... could i use srs to avoid spffail? [In reply to]

On Fri, 1 Dec 2006, Seth Goodman wrote:

> I use Outhouse and send mail through some MTA's on port 587, some on
> port 465. What is the problem you see when your users try port 587?

The only pasword methods supported are rlogin (deprecated) and ntpwd
(proprietary). Sendmail doesn't support ntpwd out of the box, and rlogin
requires an encrypted session. Outhouse doesn't support TLS, so you
can't use port 587 for an encrypted session. Fortunately, it does
support smtps (deprecated), so problem solved.

--
Stuart D. Gathman <stuart [at] bmsi>
Business Management Systems Inc. Phone: 703 591-0911 Fax: 703 591-6154
"Confutatis maledictis, flammis acribus addictis" - background song for
a Microsoft sponsored "Where do you want to go from here?" commercial.

-------
To unsubscribe, change your address, or temporarily deactivate your subscription,
please go to http://v2.listbox.com/member/?list_id=1129

First page Previous page 1 2 Next page Last page  View All SPF srs RSS feed   Index | Next | Previous | View Threaded
 
 


Interested in having your list archived? Contact Gossamer Threads
 
  Web Applications & Managed Hosting Powered by Gossamer Threads Inc.