Mailing List Archive

On Tue, Jul 19, 2005 at 10:08:50AM -0300, Fernando Trindade Xavier - Fumsoft wrote:
> I've read about the Mail SRS and the problem of the forwarded
> e-mail. I thing I got this problem. Some accounts in my server needs to
> be forwarded to anothers accounts, and that servers wich have spf
> records are rejecting these forward e-mail's. I guess that the solution
> is rewriting the sender address, but how can I do that in sendmail ???

Aside: first you might want to consider whether you ought to be breaking
*your* mail system, in order to get mail through to someone else's broken
mail system.

If A and B wish to communicate, but B's mail system rejects mail from A,
then generally the suffering is roughly equal for A and B. If B broke
things, and A is complying with the agreed standards for Internet E-mail,
then it can be argued that B should fix it.

The recipient (B) also has the option of changing to a different E-mail
account, either just to receive mail from A, or abandoning their old
provider altogether, if the old provider won't fix things.

If you are running the mail system at A: you should make it very clear to
your user/customer that your mail system is behaving correctly, and it is a
policy choice at B which is rejecting the mail.

If yuo are running a mail system at X, and A is sending to X which is
forwarding to B: then it is a policy choice at A (to advertise SPF records
which forbid forwarding via a third party) combined with a policy choice at
B (to reject mail based on advertised SPF policies).

If you fight SPF, you may help in a small way towards bringing forward its
demise.

Regards,

Brian.

-------
To unsubscribe, change your address, or temporarily deactivate your subscription,
please go to http://v2.listbox.com/member/?listname=srs-discuss@v2.listbox.com

Surely this question is exactly what SRS is all about? Some mail servers
NEED to forward mail on behalf of others, and SRS is meant to provide a
method whereby we can.

I don't think that Fernando wants to actually rewrite the sender address,
rather to include a statement that his mail server has permission to
forward on behalf of the originating mail server.

I would also love an "idiots guide" to implementing SRS in Sendmail. Does
such a thing exist or can anyone help out?

Thanks
Sarah

At 14:31 19/07/2005, you wrote:
>On Tue, Jul 19, 2005 at 10:08:50AM -0300, Fernando Trindade Xavier -
>Fumsoft wrote:
> > I've read about the Mail SRS and the problem of the forwarded
> > e-mail. I thing I got this problem. Some accounts in my server needs to
> > be forwarded to anothers accounts, and that servers wich have spf
> > records are rejecting these forward e-mail's. I guess that the solution
> > is rewriting the sender address, but how can I do that in sendmail ???
>
>Aside: first you might want to consider whether you ought to be breaking
>*your* mail system, in order to get mail through to someone else's broken
>mail system.
>
><cut>
>
>If you fight SPF, you may help in a small way towards bringing forward its
>demise.
>
>Regards,
>
>Brian.
>
>-------
>To unsubscribe, change your address, or temporarily deactivate your
>subscription,
>please go to http://v2.listbox.com/member/?listname=srs-discuss@v2.listbox.com


-------
To unsubscribe, change your address, or temporarily deactivate your subscription,
please go to http://v2.listbox.com/member/?listname=srs-discuss@v2.listbox.com

On Tue, 2005-07-19 at 15:20 +0100, Sarah Carroll wrote:
> Surely this question is exactly what SRS is all about? Some mail servers
> NEED to forward mail on behalf of others, and SRS is meant to provide a
> method whereby we can.

You _already_ can, and that's been true for years. Fernando is reporting
that a _small_ number of recipients are now rejecting valid mail which
his servers have forwarded.

SRS is a hack to work around the broken policies of those recipients.
Brian is suggesting would be better for Fernando to get those recipients
to _fix_ their broken policies, instead of trying to work around them.

I'm inclined to agree. Contact the postmaster at the broken sites which
are rejecting valid mail, refer them to something like
http://david.woodhou.se/why-not-spf.html and suggest that they stop
rejecting mail for SPF failure.

--
dwmw2

-------
To unsubscribe, change your address, or temporarily deactivate your subscription,
please go to http://v2.listbox.com/member/?listname=srs-discuss@v2.listbox.com

On Tue, 19 Jul 2005 discussion-lists@linnet.org wrote:

> On Tue, Jul 19, 2005 at 10:08:50AM -0300, Fernando Trindade Xavier - Fumsoft wrote:
> > I've read about the Mail SRS and the problem of the forwarded
> > e-mail. I thing I got this problem. Some accounts in my server needs to
> > be forwarded to anothers accounts, and that servers wich have spf
> > records are rejecting these forward e-mail's. I guess that the solution
> > is rewriting the sender address, but how can I do that in sendmail ???
>
> Aside: first you might want to consider whether you ought to be breaking
> *your* mail system, in order to get mail through to someone else's broken
> mail system.

You are correct the the receiving mail system is broken. However, the
problem is not SPF, but an incorrect implementation of SPF.
A pre-requisite for strict checking of SPF is that a mail receiver
identify all forwarders. The receiver in question obviously did not
do that, and hence should have been using relaxed checking
(add a Received-SPF header, but do not reject mail, and let a
content filter sort it out).

If SPF has a problem, it is that just as buffer overflow bugs are too
easy to commit in the C language, so it is too easy for SPF noobies
to miss the requirements for strict checking. They ignore the
advice to start in relaxed mode until they know what they are doing, and jump
right to strict without meeting the requirements.

You should not have to use SRS just because some receiver is broken.
I would first call up the receiving system (NOT the system that published
SPF records) and explain that they or their customer requested the forward
from your system, and if they want it to work, they need to accept
the forward from your system.

SRS was intended as a tool to make managing forwards easier for
a receiver.

However, SRS also works as a bandaid for broken receivers in most cases.

--
Stuart D. Gathman <stuart@bmsi.com>
Business Management Systems Inc. Phone: 703 591-0911 Fax: 703 591-6154
"Confutatis maledictis, flamis acribus addictis" - background song for
a Microsoft sponsored "Where do you want to go from here?" commercial.

-------
To unsubscribe, change your address, or temporarily deactivate your subscription,
please go to http://v2.listbox.com/member/?listname=srs-discuss@v2.listbox.com

On Tue, 19 Jul 2005, Sarah Carroll wrote:

> I would also love an "idiots guide" to implementing SRS in Sendmail. Does
> such a thing exist or can anyone help out?

http://bmsi.com/python/pysrs.html

Provides a "HACK" for sendmail so that implementing SRS looks like
this in sendmail.mc:

define(`NO_SRS_FILE',`/etc/mail/no-srs-mailers')dnl
dnl define(`NO_SRS_FROM_LOCAL')dnl
HACK(`pysrs',`/var/run/milter/pysrs')dnl

Then, a socketmap daemon written in python runs in the background. The RPM
sets it up as a sysvinit service.

CVS source is at pymilter.sourceforge.net:

http://sourceforge.net/cvs/?group_id=139894

--
Stuart D. Gathman <stuart@bmsi.com>
Business Management Systems Inc. Phone: 703 591-0911 Fax: 703 591-6154
"Confutatis maledictis, flamis acribus addictis" - background song for
a Microsoft sponsored "Where do you want to go from here?" commercial.

-------
To unsubscribe, change your address, or temporarily deactivate your subscription,
please go to http://v2.listbox.com/member/?listname=srs-discuss@v2.listbox.com

On Tue, 19 Jul 2005, David Woodhouse wrote:

> I'm inclined to agree. Contact the postmaster at the broken sites which
> are rejecting valid mail, refer them to something like
> http://david.woodhou.se/why-not-spf.html and suggest that they stop
> rejecting mail for SPF failure.

The title is incendiary, but the message is correct. They should
not be rejecting mail for SPF failure without meeting the requirements.

--
Stuart D. Gathman <stuart@bmsi.com>
Business Management Systems Inc. Phone: 703 591-0911 Fax: 703 591-6154
"Confutatis maledictis, flamis acribus addictis" - background song for
a Microsoft sponsored "Where do you want to go from here?" commercial.

-------
To unsubscribe, change your address, or temporarily deactivate your subscription,
please go to http://v2.listbox.com/member/?listname=srs-discuss@v2.listbox.com

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Sarah Carroll wrote:
> Surely this question is exactly what SRS is all about? Some mail servers
> NEED to forward mail on behalf of others, and SRS is meant to provide a
> method whereby we can.
>
> I don't think that Fernando wants to actually rewrite the sender
> address, rather to include a statement that his mail server has
> permission to forward on behalf of the originating mail server.
>
> I would also love an "idiots guide" to implementing SRS in Sendmail.
> Does such a thing exist or can anyone help out?
>
> Thanks
> Sarah
>
> At 14:31 19/07/2005, you wrote:
>
>> On Tue, Jul 19, 2005 at 10:08:50AM -0300, Fernando Trindade Xavier -
>> Fumsoft wrote:
>> > I've read about the Mail SRS and the problem of the forwarded
>> > e-mail. I thing I got this problem. Some accounts in my server needs to
>> > be forwarded to anothers accounts, and that servers wich have spf
>> > records are rejecting these forward e-mail's. I guess that the solution
>> > is rewriting the sender address, but how can I do that in sendmail ???
>>
>> Aside: first you might want to consider whether you ought to be breaking
>> *your* mail system, in order to get mail through to someone else's broken
>> mail system.
>>
>> <cut>
>>
>> If you fight SPF, you may help in a small way towards bringing forward
>> its
>> demise.
>>
>> Regards,
>>
>> Brian.
>>
>> -------
>> To unsubscribe, change your address, or temporarily deactivate your
>> subscription,
>> please go to
>> http://v2.listbox.com/member/?listname=srs-discuss@v2.listbox.com
>
>
>
> -------
> To unsubscribe, change your address, or temporarily deactivate your
> subscription, please go to
> http://v2.listbox.com/member/?listname=srs-discuss@v2.listbox.com
>
>

Sarah -

As for SRS implementation in sendmail, i would hang on a little bit and
check out SES, which is what SRS has evolved into over the past months.
There are quite a few pages detailing how to implement ses/srs in
sendmail, but the code has actually released there will be a milter to
follow (i imagine) and some sendmail patches, etc.

HTH
Michael Weiner

- --
Darwin Kernel Version 8.2.0: root:xnu-792.2.4.obj~3/RELEASE_PPC
Load Averages: 3.30 3.56 3.38
CPU Usage: 45.5% user 54.5% sys 0.0% idle
Memory Usage: 111M wired 581M active 304M inactive 998M used 25.8M free
- -=- This AutoSig was generated on 07/19/2005 at 10:58. -=-
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (Darwin)

iD8DBQFC3RWhSi7P5a7gZLQRAlYZAJ0YMG6QIIBE6vjSt4tUq8BOzb1hHACg1Lci
XPF/LAepQsE6x5lkrdDAT6M=
=HtQv
-----END PGP SIGNATURE-----

-------
To unsubscribe, change your address, or temporarily deactivate your subscription,
please go to http://v2.listbox.com/member/?listname=srs-discuss@v2.listbox.com

On Tue, 19 Jul 2005, Michael Weiner wrote:

> As for SRS implementation in sendmail, i would hang on a little bit and
> check out SES, which is what SRS has evolved into over the past months.
> There are quite a few pages detailing how to implement ses/srs in
> sendmail, but the code has actually released there will be a milter to
> follow (i imagine) and some sendmail patches, etc.

SES is great for signing the return path. But it doesn't help
with delivering bounces for forwarded mail.

Some people use SRS only to block forged bounces - and SES could be
an alternative for that purpose. But for forwarding mail and
any resulting bounces, SRS is what you need.

--
Stuart D. Gathman <stuart@bmsi.com>
Business Management Systems Inc. Phone: 703 591-0911 Fax: 703 591-6154
"Confutatis maledictis, flamis acribus addictis" - background song for
a Microsoft sponsored "Where do you want to go from here?" commercial.

-------
To unsubscribe, change your address, or temporarily deactivate your subscription,
please go to http://v2.listbox.com/member/?listname=srs-discuss@v2.listbox.com

On Tue, 2005-07-19 at 11:37 -0400, Stuart D. Gathman wrote:
> Some people use SRS only to block forged bounces - and SES could be
> an alternative for that purpose. But for forwarding mail and
> any resulting bounces, SRS is what you need.

That or a baseball bat with which to educate the recipients who are
rejecting your validly forwarded mail. :)

But really, the baseball bat isn't often needed -- just a gentle
explanation usually suffices in my experience.

--
dwmw2

-------
To unsubscribe, change your address, or temporarily deactivate your subscription,
please go to http://v2.listbox.com/member/?listname=srs-discuss@v2.listbox.com

On Tue, Jul 19, 2005 at 03:07:26PM -0400, David Woodhouse wrote:
>
> That or a baseball bat with which to educate the recipients who are
> rejecting your validly forwarded mail. :)

Actually it's their validly forwarded mail; it's not the original
sender's any more.

The recipients are the ones set up the forwarding of their mail to their
final destination, so you'd need to hand them the baseball bat to help
them educate themselves about rejecting their mail that they forwarded
to themselves.

--
Mark Shewmaker
mark@primefactor.com

-------
To unsubscribe, change your address, or temporarily deactivate your subscription,
please go to http://v2.listbox.com/member/?listname=srs-discuss@v2.listbox.com

On Tue, 19 Jul 2005, David Woodhouse wrote:

> On Tue, 2005-07-19 at 11:37 -0400, Stuart D. Gathman wrote:
> > Some people use SRS only to block forged bounces - and SES could be
> > an alternative for that purpose. But for forwarding mail and
> > any resulting bounces, SRS is what you need.
>
> That or a baseball bat with which to educate the recipients who are
> rejecting your validly forwarded mail. :)

While correctly handling forwarders is the responsibility of
the recipient when implementing strict SPF checking, SRS can
be a tool that simplifies forwarder management in many cases.

Without SRS, the recipient must keep a list of forwarder domains,
and essentially check a forwarder domain "as if" it was the MAIL FROM
(even though it isn't). This is better than keeping a list of raw
IP addresses, but even simpler still, the recipient can choose
only forwarders who implement SRS. Then they don't need to keep a list.
Of course, this only works if the recipient has that choice.

--
Stuart D. Gathman <stuart@bmsi.com>
Business Management Systems Inc. Phone: 703 591-0911 Fax: 703 591-6154
"Confutatis maledictis, flamis acribus addictis" - background song for
a Microsoft sponsored "Where do you want to go from here?" commercial.

-------
To unsubscribe, change your address, or temporarily deactivate your subscription,
please go to http://v2.listbox.com/member/?listname=srs-discuss@v2.listbox.com

On Tue, 2005-07-19 at 16:52 -0400, Mark Shewmaker wrote:
> The recipients are the ones set up the forwarding of their mail to
> their final destination, so you'd need to hand them the baseball bat

It doesn't necessarily matter whether the bat is wielded by the
forwarder, or the individual user whose mail is lost -- as long as the
education is applied to the admin of the mailserver which is rejecting
the mail is educated, it should start working again.

Often you're right, it's better for the individual user to do it because
they at least have some kind of client-provider relationship with the
offending party.

> to help them educate themselves about rejecting their mail that they
> forwarded to themselves.

s/themselves/their ISP/ or other entity.

--
dwmw2

-------
To unsubscribe, change your address, or temporarily deactivate your subscription,
please go to http://v2.listbox.com/member/?listname=srs-discuss@v2.listbox.com

> From: Stuart D. Gathman
> Sent: Tuesday, July 19, 2005 10:37 AM

<...>

> SES is great for signing the return path. But it doesn't help
> with delivering bounces for forwarded mail.

With SES, as with ordinary email, a bounce from any MTA in the message
delivery path goes directly back to the originating gateway MTA. If that
MTA can validate the signature on the null-sender message it is being
offered, the message is very likely a bona-fide bounce and it should be
accepted. This is no different from the way bounces work today, except that
the original sender has a tool to help distinguish forged bounces.


>
> Some people use SRS only to block forged bounces - and SES could be
> an alternative for that purpose. But for forwarding mail and
> any resulting bounces, SRS is what you need.

While SRS is one way to accomplish forwarding broken by SPF, SES integrates
more easily with SPF without the cooperation of any forwarders or the final
recipient, for that matter. One implementation of this only does the SES
validation check if the message does not otherwise yield an SPF pass. This
can be accomplished, even for SPF recipients that have never heard of SES,
by use of the exists: mechanism with appropriate macros and a "stunt" DNS
validation server.

While this is not my favorite implementation for SES, it only requires the
original sender's cooperation and does solve the forwarding problem inherent
in SPF. The original sender would preferably set things up so any DNS
validation requests for SES are routed back to the originating gateway MTA.
There is _not_ a real DNS server in that MTA, only a process that accepts a
UDP query (that happens to be in the form of a DNS request packet), checks
validity of a signature and issues a UDP response (that happens to be in the
form of a DNS response packet). The SPF-compliant recipient will not know
that it is not talking to a real DNS server, only that the exists: mechanism
just matched, thus generating an SPF pass.

The end result is that due to an action taken only by the original sender,
mail leaving that sender and is subsequently forwarded will generate an SPF
pass at any SPF-compliant recipient. This does not require the recipient or
any of the forwarders to change anything. Bounces also go directly back to
the originating gateway MTA and need not be relayed by a forwarder. If this
sounds like what you want, SRS is most assuredly _not_ what you need.


--

Seth Goodman

-------
To unsubscribe, change your address, or temporarily deactivate your subscription,
please go to http://v2.listbox.com/member/?listname=srs-discuss@v2.listbox.com

Seth Goodman writes:
> While SRS is one way to accomplish forwarding broken by SPF, SES integrates
> more easily with SPF without the cooperation of any forwarders or the final
> recipient, for that matter.

SRS vs. SES depends on your perspective. SES addresses the problem as
seen by senders whose mail may not arrive due to forwarding, whereas
SRS addresses the problem as seen by forwarders trying to forward mail
from unsophisticated senders to unsophisticated recipients behind SPF
barriers.

If you're a forwarder, SES won't help you unless senders of mail to
your users implement it, but you csn solve your forwarding problem
using SRS. If you're a sender, SRS won't help you unless forwarders
implement it, but you can solve your own forwarding problem using SES.

SES-signed email forwarded by a forwarder using SRS may lose its
authentication, but it will still go through. (A little smarts in the
receive-side SES implementation can preserve the authentication.)

If you're a forwarder, implement SRS. It will save you some grief.

I'm a forwarder running SRS based on

http://srs-socketmap.info/sendmailsrs.htm

with modifications for a more complex setup than a single server. If
I get a chance, I may write up how I did this and post it on my
website. If so, I'll post a note here.

--
Dick St.Peters, stpeters@NetHeaven.com
Gatekeeper, NetHeaven, Saratoga Springs, NY

-------
To unsubscribe, change your address, or temporarily deactivate your subscription,
please go to http://v2.listbox.com/member/?listname=srs-discuss@v2.listbox.com

On Tue, Jul 19, 2005 at 10:08:50AM -0300, Fernando Trindade Xavier - Fumsoft <fernando@fumsoft.softex.br> wrote:
> I've read about the Mail SRS and the problem of the forwarded
> e-mail. I thing I got this problem. Some accounts in my server needs to
> be forwarded to anothers accounts, and that servers wich have spf
> records are rejecting these forward e-mail's. I guess that the solution
> is rewriting the sender address, but how can I do that in sendmail ???
>
> I use the sendmail 8.13 with smtp auth, and there are few articles
> about the implementation on it.
>
> I supose that the forum could help me.

I have also written a sendmail HACK() to do this; see
http://www.madhack.com/~madhack/srs.m4 . It does require the
command-line srs tools.

--
Mike Markley <mike@markley.org>

It's easier to wear the spandex than to do the crunches.
- David Lee Roth

-------
To unsubscribe, change your address, or temporarily deactivate your subscription,
please go to http://v2.listbox.com/member/?listname=srs-discuss@v2.listbox.com

On Mon, 1 Aug 2005, Mike Markley wrote:

> On Tue, Jul 19, 2005 at 10:08:50AM -0300, Fernando Trindade Xavier - Fumsoft <fernando@fumsoft.softex.br> wrote:
> > I've read about the Mail SRS and the problem of the forwarded
> > e-mail. I thing I got this problem. Some accounts in my server needs to
> > be forwarded to anothers accounts, and that servers wich have spf
> > records are rejecting these forward e-mail's. I guess that the solution
> > is rewriting the sender address, but how can I do that in sendmail ???
> >
> > I use the sendmail 8.13 with smtp auth, and there are few articles
> > about the implementation on it.
> >
> > I supose that the forum could help me.
>
> I have also written a sendmail HACK() to do this; see
> http://www.madhack.com/~madhack/srs.m4 . It does require the
> command-line srs tools.

pysrs provides a socketmap implementation, and a HACK to go with it:

http://bmsi.com/python/pysrs.html

sendmail.mc looks like this:

define(`NO_SRS_FILE',`/etc/mail/no-srs-mailers')dnl
dnl define(`NO_SRS_FROM_LOCAL')dnl
HACK(`pysrs',`/var/run/milter/pysrs')dnl

The rpms are for Redhat, but should work with other sysvinit systems.

--
Stuart D. Gathman <stuart@bmsi.com>
Business Management Systems Inc. Phone: 703 591-0911 Fax: 703 591-6154
"Confutatis maledictis, flamis acribus addictis" - background song for
a Microsoft sponsored "Where do you want to go from here?" commercial.

-------
To unsubscribe, change your address, or temporarily deactivate your subscription,
please go to http://v2.listbox.com/member/?listname=srs-discuss@v2.listbox.com