Bob Dodds wrote:
Elliot Foster wrote:
John Peacock wrote:
Elliot Foster wrote:
You could also use port 587 (submission) non-ssl if you're just
trying to get around port 25 being blocked. That way you wouldn't
have to re-route the connections to localhost. You would also be
able to retain the connecting IP.
But then I'd have to run a second instance of qpsmtpd in that case
(since I don't see any support for running on two ports in the
existing code).
Or do some port forwarding trickery, but that becomes clumsy, and not
intuitively maintainable. Does the trunk (or forkserver) have code
that allows it to listen on multiple ports/interfaces/ips?
I used stunnel for a while, but I didn't like not being able to tell
from where someone was connecting.
I'm assuming the "some stupid admins" part was a joke? Or are they
blocking on SPF soft failures?
No joke. I don't think that SPF is ready to be used to block mail
(hard *or* soft failure). The one site is running some M$loth
anti-spam feature for Exchange and I get no reason back why they are
blocking. I have our SPF records set to hard fail and so far I have
exactly 1 domain that blocked the mail (which shows exactly how
useless SPF is)...
John
What happens, just a plain deny (45x/55x)?
If anyone ever forges an email to me that says it's from you, I'll be
domain #2. :) I don't block soft failures, but I'm using it to
block phishing scams trying to deliver messages to my users,
pretending to be [EMAIL PROTECTED] (or somesuch) I tend to
get a lot of those.
It just needs to reach some sort of critical mass before it really
becomes useful.
A common spf violation is to spoof being an authority
at mta's domains, as social-engineering for phish attack.
Yes, which is what I described above. Are you answering a question?
Another is to spoof being a subscriber on a mailing list.
How would you know how many times your users have
been spoofed to listservers elsewhere, spoof blocked,
based on your spf records? You would have to host
lists to project the value of spf to your users at other
listservers. Or be unscientific and just assume like I
do. I don't know of any "studies" to consult.
You wouldn't know, because in an ideal world, other MTAs would be
blocking people trying to spoof your domain. Unless these remote MTAs
report back that they denied some random person based on SPF records
from your domain, you (at your server(s)) would never know.
As in, hopefully hotmail's MXs would be checking for SPF, and if they
receive a message being sent as if from my domain, but not from one of
my servers, then they choose to deny it. I would never know.
You would have a log of the [EMAIL PROTECTED] phish, if
you denied on spf fail. That's one spf benefit I'm logging
http://perlq.org/ and I'm not even running any lists which
would bump up the stats for spf.
-Bob
Are you answering a question here, or making a suggestion?
