[Savannah-hackers-public] Re: [gnu.org #219521] Thoughs on SPF

[Sylvain Beucler via RT]

Hi,

Thanks for the clarification.

Also, Savane is already configured to send mail from
address@hidden as the envelop sender.


In this case, we are considering the CVS commit notifications. As far
as I see, the mail forwarder crafted by Paul is not issuing any
HELO/EHLO command.

Is there an Exim option to set the defaut envelop sender in case it
was not specified? Else, we need to make changes to the C mail
forwarder.

-- 
Sylvain

On Mon, Jan 31, 2005 at 11:33:57AM -0500, James Blair via RT wrote:
> > address@hidden - Thu Jan 13 16:23:09 2005]:
> > 
> > Hi,
> > 
> > Sorry to send you another mail, we have quite a lot of things to ask
> > you at the moment.
> > 
> > A user is complaining that we use, for CVS notifications, a solution
> > that rely on mail forgery, which is incompatible with the SPF, used
> > his ISP that hence discard such mails. Indeed, when I commit to a cvs
> > repository, a mail is sent on my behalf using the mail I set in the
> > Savane system. The user would rather have the system send mail as
> > address@hidden
> > 
> > For more information, conversation can be found here:
> > https://savannah.gnu.org/support/index.php?func=detailitem&item_id=103775
> > 
> > 
> > In a nutshell, I would like to know if you or the FSF in general have
> > any plans regarding SPF and domainkeys support for the gnu.org mail
> > system in general.
> > 
>  
> First, regarding SPF for gnu.org: we intend to use it.  Because we
> primarily are engaged in forwarding mail, we won't really utilize it
> until SRS is implemented for exim, our MTA.  This doesn't really
> affect the issue under consderation here except that it would be
> hippocritical of us to use SPF ourselves and yet send out mail
> incompatible with it.
> 
> As for savannah notifications, they should probably be sent out in
> another manner.  I think breaking SPF should be avoided, and of course
> there is the question of etiquitte in sending mail forged from someone
> else.
> 
> I would suggest we avoid address@hidden addresses for mail
> forwarding.  I don't think people really need to use savannah as a
> mail forwarding service, and it's not a particularly good use of
> savannah's limited computing resources.
> 
> A better idea would be making the system behave more like a mailing
> list.  Mailman sends out messages with sender addresses that look like
> address@hidden  That way the system can do bounce
> processing and not send out messages to email addresses that generate
> bounces.  I think that would be a useful feature for savannah as well
> as a good solution to the problem of sending forged email.  This also
> means that savannah will have to process mail though, and don't
> underestimate how much work that will be for the machine.  Though with
> this method you can greatly reduce the amount of actual deliveries the
> machine will have to deal with (most mail will be rejected).
> 
> The easiest solution all around though would be to send mail from a
> valid address.  We have already set up savannah-bounces for that
> purpose.  So simply changing the envelope sender to
> "address@hidden" should solve the problem.
> 
> Just to be clear, I'm writing about the envelope sender address.  If
> an attempt is being made to validate the "From:" header, that is
> entirely a different issue.
> 
> http://spf.pobox.com/faq.html#whichfield
> 
> -Jim
> 

-- 
Sylvain