On 2020-10-27 09:04, Gert Doering wrote:
Hi,
On Tue, Oct 27, 2020 at 08:40:39AM +0100, Jeroen Massar wrote:
Mail server admin can do a SPF check (or have a list of allowed source
email domains) before outbound and reject forwarding these emails.
I read this and I wonder "which of the MTAs out there can do that" -
that is, check SPF (and others) for outgoing mails.
Not many, as normally you do not accept mail at ingress (smtp/maildrop)
that you cannot send. I've built custom SMTP engines for people that did
this though (and if the domain was not acceptable either reject that or
wrap it in a @via.<domain> / SRS-style)
For a ready-off-the-shel-prioject I am sure that Halon
(https://halon.io/) can do this though, but for most you would have to
custom code a SPF-check-on-exit. (as SPF mostly is applied to inbound).
For everybody else one simply configures a list of domains that one is
authoritive for and just use that when mail is dropped in over SMTP or
maildrop. Hopefully along with valid DKIM + SPF records outbound and
signing etc when it actually goes out of the box.
"Blaiming all on the MTA operator" isn't totally reasonable either - you
might have a totally valid configuration, and then someone whose mail you
legitimately sent before (either forward rules that had no conflicting
SPF yet, or your server was listed, or...) changes *their* SPF stuff,
making *your* MTA noncompliant.
Is this an error? Yes, surely.
Is the MTA operator to blaim for it? Possibly sometimes, but certainly
not "always, and solely".
I don't think blaming somebody is a useful avenue.
As mentioned, marketing can be an annoying thing. For instance I noticed
that one of our domains maxed out the SPF inclusion limit... because
people just kept on piling on SPF includes, never actually understanding
what it is for and what the limitations are. All that marketing spam
(and all legit mail) ended up in SPF:permerr land, thus nicely rejected ;)
The reason for my mail was to elaborate what one could do against
becoming listed in restrictive lists like UCEProtect.
Making sure one only egress mail that one is supposed to send
(SPF/DKIM/DMARC/ARC) is the only way to do that and would mean being a
good citizen on the Internet, which is why lists like UCEProtect exist:
if you configure your stuff correctly, you won't end up on them.
That said, I personally avoid strict lists like that, but everybody can
pick their own lists, your domain, your selection on what to accept for
whatever you want.
Greets,
Jeroen
_______________________________________________
swinog mailing list
swinog@lists.swinog.ch
http://lists.swinog.ch/cgi-bin/mailman/listinfo/swinog
