[Savannah-hackers-public] [gnu.org #219521] Thoughs on SPF

[James Blair via RT]

> address@hidden - Thu Jan 13 16:23:09 2005]:
> 
> Hi,
> 
> Sorry to send you another mail, we have quite a lot of things to ask
> you at the moment.
> 
> A user is complaining that we use, for CVS notifications, a solution
> that rely on mail forgery, which is incompatible with the SPF, used
> his ISP that hence discard such mails. Indeed, when I commit to a cvs
> repository, a mail is sent on my behalf using the mail I set in the
> Savane system. The user would rather have the system send mail as
> address@hidden
> 
> For more information, conversation can be found here:
> https://savannah.gnu.org/support/index.php?func=detailitem&item_id=103775
> 
> 
> In a nutshell, I would like to know if you or the FSF in general have
> any plans regarding SPF and domainkeys support for the gnu.org mail
> system in general.
> 
 
First, regarding SPF for gnu.org: we intend to use it.  Because we
primarily are engaged in forwarding mail, we won't really utilize it
until SRS is implemented for exim, our MTA.  This doesn't really
affect the issue under consderation here except that it would be
hippocritical of us to use SPF ourselves and yet send out mail
incompatible with it.

As for savannah notifications, they should probably be sent out in
another manner.  I think breaking SPF should be avoided, and of course
there is the question of etiquitte in sending mail forged from someone
else.

I would suggest we avoid address@hidden addresses for mail
forwarding.  I don't think people really need to use savannah as a
mail forwarding service, and it's not a particularly good use of
savannah's limited computing resources.

A better idea would be making the system behave more like a mailing
list.  Mailman sends out messages with sender addresses that look like
address@hidden  That way the system can do bounce
processing and not send out messages to email addresses that generate
bounces.  I think that would be a useful feature for savannah as well
as a good solution to the problem of sending forged email.  This also
means that savannah will have to process mail though, and don't
underestimate how much work that will be for the machine.  Though with
this method you can greatly reduce the amount of actual deliveries the
machine will have to deal with (most mail will be rejected).

The easiest solution all around though would be to send mail from a
valid address.  We have already set up savannah-bounces for that
purpose.  So simply changing the envelope sender to
"address@hidden" should solve the problem.

Just to be clear, I'm writing about the envelope sender address.  If
an attempt is being made to validate the "From:" header, that is
entirely a different issue.

http://spf.pobox.com/faq.html#whichfield

-Jim