|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
Re: Sender Verification Doc
From: David Cary Hart (PostfixMTA
TQMcube.com)
Date: Wed Nov 01 2006 - 22:15:14 CST
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
On Wed, 1 Nov 2006 22:32:52 -0500, Victor Duchovni
<Victor.DuchovniMorganStanley.com> opined:
> On Wed, Nov 01, 2006 at 10:18:52PM -0500, David Cary Hart wrote:
>
> > I think that SV is a terrible idea to begin with. I will
> > spare you the rant. Nevertheless:
> >
> > "By default, Postfix probe messages have
> > postmaster$myorigin" as the sender address. This is SAFE
> > because the Postfix SMTP server does not reject mail for
> > this address."
> >
> > That doesn't make sense to me. Doesn't that presuppose that the
> > probed server is running Postfix or am I suffering from a senior
> > moment? The concept makes sense - just not the explanation.
>
> Think harder, if the receiving machine also does SAV, the probe
> sender, will be probed in turn (now as a recipient), it is
> important to not reject it (your own probe sender) in this context,
> or to apply SAV to the remote probe sender (whatever it may be),
> when the *recipient* is the local probe sender.
What prevents that from being an endless loop?
>
> > "You can change this into the null address
> > ("address_verify_sender ="). This is UNSAFE because
> > address probes will fail with mis-configured sites that reject
> > MAIL FROM: <>, while probes from 'postmaster$myorigin' would
> > succeed."
> >
> > While I agree, that's not limited to mis-configured servers.
> > Rejecting null sender seems to be the most effective means of
> > eliminating backscatter. Is that an errant conclusion on my part?
>
> Yes, because not all bounces are "backscatter", and severely
> breaking mail delivery (in this case delivery error reporting) is
> not an acceptable anti-abuse measure.
I'll have to think that through. I suppose that depends upon the need
to accept some non-local NDRs in a larger environment. I also
misstated in that I am discarding these in contrast to rejecting them.
>
> I don't use SAV either, and don't recomment it, but I also don't
> recommend premature criticism. When in doubt, ask rather than
> accuse. When looking at something in detail for the first time, be
> in doubt.
>
I honestly thought I was not being critical. I did say that it
doesn't make sense TO ME. These were two questions, not answers and
they were not intended to be rhetorical. If you took offense to my
disparagement of SAV, that is NOT a criticism of Postfix or it's
developers. I just get hit very hard by the probes now and then.
--
Our DNSRBL - Eliminate Spam at the Source: http://www.TQMcube.com
Don't Subsidize Criminals: http://boulderpledge.org
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]