In my quest to implement a mixed Google Mail/Postfix mail solution for my domain, I just came across a situation that shows how SPF really really sucks and is fundamentally broken.
Basically SMTP allows e-mail to be relayed from server to server, and not just passed from one server to one other server. Along the way each server adds its headers so you can track the hops back to the sender. This is perfectly legit. BUT, if you do it, SPF looks at the last server that handed off the mail and says, "but wait. That server isn't authorized to send mail on behalf of somedomain.com." That's bogus because the server who relayed the mail didn't send on behalf of the domain; it just relayed it on behalf of the server that did. And SPF thinks that my server is now forging e-mails from *any* SPF-enabled domain that sends to me. Of course it's a tricky problem because SPF cannot just look for any match in the list of relays, since it can't guaranty that those headers aren't forged. So it's a completely and utterly broken system. Of course, since many people have chosen to use it, I have to now figure out a workaround. Which will likely be to have google pick everything up and then fetchmail certain people's accounts back down to my postfix server. Nasty. So for anyone considering a mixed google mail / normal mail solution, it's likely not going to work because of SPF. Michael /* PLUG: http://plug.org, #utah on irc.freenode.net Unsubscribe: http://plug.org/mailman/options/plug Don't fear the penguin. */
