Mailing List Archive

SRS for postfix ?
Hi there,

This is strange, we can find SRS for Exim, Sendmail, (qmail ?) and
lots of MTA... but nothing for Postfix.

Is there any way to have it working ?

Even with postfix 2.3.x branch there is milter support, is there any
milter version of SRS (eg that work
with sendmail milter) ?

Thanks,
/Xavier

-------
To unsubscribe, change your address, or temporarily deactivate your subscription,
please go to http://v2.listbox.com/member/?listname=srs-discuss@v2.listbox.com
Re: SRS for postfix ? [ In reply to ]
On Thursday 17 August 2006 04:46, Xavier Beaudouin wrote:
> Hi there,
>
> This is strange, we can find SRS for Exim, Sendmail, (qmail ?) and
> lots of MTA... but nothing for Postfix.
>
> Is there any way to have it working ?
>
> Even with postfix 2.3.x branch there is milter support, is there any
> milter version of SRS (eg that work
> with sendmail milter) ?
>
There is pymilter that includes an SRS capability:

https://sourceforge.net/projects/pymilter

I'll be curious how it goes if you try and run it with Postfix 2.3 as I'd
planned on trying to integrate it in a few weeks.


Scott K

-------
To unsubscribe, change your address, or temporarily deactivate your subscription,
please go to http://v2.listbox.com/member/?listname=srs-discuss@v2.listbox.com
Re: SRS for postfix ? [ In reply to ]
On Thu, 17 Aug 2006, Scott Kitterman wrote:

> There is pymilter that includes an SRS capability:
>
> https://sourceforge.net/projects/pymilter
>
> I'll be curious how it goes if you try and run it with Postfix 2.3 as I'd
> planned on trying to integrate it in a few weeks.

The pysrs module will not work with Postfix. The milter API does not
allow changing MFROM. To change MFROM, pysrs uses a sendmail SocketMap
and some cf macros to call it (the infamously opaque CF language). Postfix has
an equivalent for SocketMap that should be easy to translate. But I don't know
how to change MFROM in Postfix - or whether it is even possible.

--
Stuart D. Gathman <stuart@bmsi.com>
Business Management Systems Inc. Phone: 703 591-0911 Fax: 703 591-6154
"Confutatis maledictis, flammis acribus addictis" - background song for
a Microsoft sponsored "Where do you want to go from here?" commercial.

-------
To unsubscribe, change your address, or temporarily deactivate your subscription,
please go to http://v2.listbox.com/member/?listname=srs-discuss@v2.listbox.com
Re: SRS for postfix ? [ In reply to ]
>>>>> "Stuart" == Stuart D Gathman
>>>>> "Re: SRS for postfix ?"
>>>>> Thu, 17 Aug 2006 11:15:30 -0400 (EDT)

Stuart> On Thu, 17 Aug 2006, Scott Kitterman wrote:
>> There is pymilter that includes an SRS capability:
>>
>> https://sourceforge.net/projects/pymilter
>>
>> I'll be curious how it goes if you try and run it with Postfix
>> 2.3 as I'd planned on trying to integrate it in a few weeks.

Stuart> The pysrs module will not work with Postfix. The milter
Stuart> API does not allow changing MFROM. To change MFROM, pysrs
Stuart> uses a sendmail SocketMap and some cf macros to call it
Stuart> (the infamously opaque CF language). Postfix has an
Stuart> equivalent for SocketMap that should be easy to translate.
Stuart> But I don't know how to change MFROM in Postfix - or
Stuart> whether it is even possible.

Is this any help
<http://www.irbs.net/internet/postfix/0401/1020.html>?

jam

-------
To unsubscribe, change your address, or temporarily deactivate your subscription,
please go to http://v2.listbox.com/member/?listname=srs-discuss@v2.listbox.com
Re: Re: SRS for postfix ? [ In reply to ]
On Thu, 17 Aug 2006, John A. Martin wrote:

> Is this any help
> <http://www.irbs.net/internet/postfix/0401/1020.html>?

No. It is a rant against SRS based on misconceptions. Examples:
"uncontrolled growth of local part", "no standard SRS encoding", etc.

The code included implies that patching Postfix is the only way to
implement SRS. I was hoping that, while the sendmail milter API doesn't
handle it, the postfix policy daemon API would handle modifying MFROM.

While interested in Postfix, I have never used it. Sendmail is so
flexible, the ugliness of the CF language is not enough to drive me away.

--
Stuart D. Gathman <stuart@bmsi.com>
Business Management Systems Inc. Phone: 703 591-0911 Fax: 703 591-6154
"Confutatis maledictis, flammis acribus addictis" - background song for
a Microsoft sponsored "Where do you want to go from here?" commercial.

-------
To unsubscribe, change your address, or temporarily deactivate your subscription,
please go to http://v2.listbox.com/member/?listname=srs-discuss@v2.listbox.com
Re: SRS for postfix ? [ In reply to ]
>>>>> "Stuart" == Stuart D Gathman
>>>>> "Re: Re: SRS for postfix ?"
>>>>> Thu, 17 Aug 2006 12:38:21 -0400 (EDT)

Stuart> On Thu, 17 Aug 2006, John A. Martin wrote:
>> Is this any help
>> <http://www.irbs.net/internet/postfix/0401/1020.html>?

Stuart> No. It is a rant against SRS based on misconceptions.
Stuart> Examples: "uncontrolled growth of local part", "no
Stuart> standard SRS encoding", etc.

Apart from that paragraph, the preceding references to the Postfix
architecture may be a bit better. I do not however grok the
implementation logic given for the delivery agent.

Stuart> The code included implies that patching Postfix is the
Stuart> only way to implement SRS. I was hoping that, while the
Stuart> sendmail milter API doesn't handle it, the postfix policy
Stuart> daemon API would handle modifying MFROM.

Would a new transport be worth thinking about?

Stuart> While interested in Postfix, I have never used it.
Stuart> Sendmail is so flexible, the ugliness of the CF language
Stuart> is not enough to drive me away.

Postfix has a very different architecture. That is why there is not
now an easy way for a milter to change the MFROM in Postfix.

jam

-------
To unsubscribe, change your address, or temporarily deactivate your subscription,
please go to http://v2.listbox.com/member/?listname=srs-discuss@v2.listbox.com
Re: Re: SRS for postfix ? [ In reply to ]
On Thursday 17 August 2006 12:38, Stuart D. Gathman wrote:

> The code included implies that patching Postfix is the only way to
> implement SRS. I was hoping that, while the sendmail milter API doesn't
> handle it, the postfix policy daemon API would handle modifying MFROM.

Can't do it that way, but I think it's possible. I need to think about it and
try to work something out (in my copious free time). It has to be done
somehow with header checks I think.

Scott K

-------
To unsubscribe, change your address, or temporarily deactivate your subscription,
please go to http://v2.listbox.com/member/?listname=srs-discuss@v2.listbox.com
RE: Re: SRS for postfix ? [ In reply to ]
>> Apart from that paragraph, the preceding references to the Postfix
architecture may be a bit better.
>> I do not however grok the implementation logic given for the delivery
agent.

I did, and the logic proposed is decent, although the author focused on
the shady aspects of it.

The idea of creating a patch that is absolutely perfect and has all
possible problems taken care of beforehand is too strong to be
practical, and the author used this to argue that "it will never work".

I think the authors/promoters of SPF/SRS should engage directly in this
issue and provide the community with good and simple implementations of
SPF/SRS for each every major version of populars MTAs.

If this was done it would sooner prove or disprove any doubts about the
usefulness and viability of widespread SPF/SRS usage.

Best Regards,
Gabriel Blum

CONFIDENTIALITY NOTICE:

The information in this Internet email is confidential and may be legally privileged. It is intended solely for the addressee. Access to this email by anyone else is unauthorized.


-------
To unsubscribe, change your address, or temporarily deactivate your subscription,
please go to http://v2.listbox.com/member/?listname=srs-discuss@v2.listbox.com
RE: Re: SRS for postfix ? [ In reply to ]
On Thu, 17 Aug 2006, Blum, Gabriel wrote:

> I think the authors/promoters of SPF/SRS should engage directly in this
> issue and provide the community with good and simple implementations of
> SPF/SRS for each every major version of populars MTAs.
>
> If this was done it would sooner prove or disprove any doubts about the
> usefulness and viability of widespread SPF/SRS usage.

It is not at all necessary to use SRS with SPF. SRS is a workaround for
forwarders whose customers are unwilling or unable (their mail provider
doesn't let them) to properly configure their SPF checker. A much less
intrusive way to handle receiver initiated forwarding is a trusted-forwarder
list - either public or private. Of course, a forwarder that doesn't check
SPF just becomes a spam conduit. But this happens with or without SRS.

I do not SRS for forwarding. I use it for MFROM signing to reject forged
DSNs from MTAs that do not check SPF.

I repeat - SRS is *not* needed for an effective SPF implementation.

SRS for forwarding is only needed by forwarders with clueless/powerless
clients.

--
Stuart D. Gathman <stuart@bmsi.com>
Business Management Systems Inc. Phone: 703 591-0911 Fax: 703 591-6154
"Confutatis maledictis, flammis acribus addictis" - background song for
a Microsoft sponsored "Where do you want to go from here?" commercial.

-------
To unsubscribe, change your address, or temporarily deactivate your subscription,
please go to http://v2.listbox.com/member/?listname=srs-discuss@v2.listbox.com
RE: Re: SRS for postfix ? [ In reply to ]
>> SRS for forwarding is only needed by forwarders with
clueless/powerless clients.

Agree, but unfortunately that's what plenty of big companies are,
specially those in non-tech industries.

They usually have bloated IT departments with uninteligent and/or
exaggerated security policies and bureaucracy that makes it real hard -
if even possible - to get yourself into a "trusted" list of anything.

The reality of most of the biggest companies in the world is that each
department is a huge organization by itself, independent from each
other, hiring most services outside mostly (specially after the
tercerization + focus-on-core-business idea appeared).

It's not acceptable for us, who provide distribution of regulatory and
compliance documents, neither for the the client that hire us, that we
must first get approval of the "IT department" -- which might never
happen.

I do not wish to go offtopic, just felt like emphasizing that while your
affirmative is true, the population of "clueless/powerless clients" is
not a minority -- neither in size nor in importance.

Back to SRS, I still think would be great if the promoters of SRS would
provide us with patches for those cases where MTA devs didn't feel like
SRS was important (e.g. postfix)

Best Regards,
Gabriel Blum

CONFIDENTIALITY NOTICE:

The information in this Internet email is confidential and may be legally privileged. It is intended solely for the addressee. Access to this email by anyone else is unauthorized.


-------
To unsubscribe, change your address, or temporarily deactivate your subscription,
please go to http://v2.listbox.com/member/?listname=srs-discuss@v2.listbox.com
Re: Re: SRS for postfix ? [ In reply to ]
Hello,


>> I think the authors/promoters of SPF/SRS should engage directly in
>> this
>> issue and provide the community with good and simple
>> implementations of
>> SPF/SRS for each every major version of populars MTAs.
>>
>> If this was done it would sooner prove or disprove any doubts
>> about the
>> usefulness and viability of widespread SPF/SRS usage.
>
> It is not at all necessary to use SRS with SPF. SRS is a
> workaround for
> forwarders whose customers are unwilling or unable (their mail
> provider
> doesn't let them) to properly configure their SPF checker. A much
> less
> intrusive way to handle receiver initiated forwarding is a trusted-
> forwarder
> list - either public or private. Of course, a forwarder that
> doesn't check
> SPF just becomes a spam conduit. But this happens with or without
> SRS.

I don't use it yet, but there is more and more people that have -all
in their
SPF headers....

Problem is customers (that, as usual, don't understand how a smtp/spf/
etc... works
and want their bloody mail what ever it is without getting spam and
loosing any mail)...

> I do not SRS for forwarding. I use it for MFROM signing to reject
> forged
> DSNs from MTAs that do not check SPF.
>
> I repeat - SRS is *not* needed for an effective SPF implementation.
>
> SRS for forwarding is only needed by forwarders with clueless/
> powerless
> clients.

I see :)

/Xavier

-------
To unsubscribe, change your address, or temporarily deactivate your subscription,
please go to http://v2.listbox.com/member/?listname=srs-discuss@v2.listbox.com
Re: SRS for postfix ? [ In reply to ]
>>>>> "Stuart" == Stuart D Gathman
>>>>> "RE: Re: SRS for postfix ?"
>>>>> Thu, 17 Aug 2006 15:21:17 -0400 (EDT)

Stuart> It is not at all necessary to use SRS with SPF. SRS is a
Stuart> workaround for forwarders whose customers are unwilling or
Stuart> unable (their mail provider doesn't let them) to properly
Stuart> configure their SPF checker. A much less intrusive way to
Stuart> handle receiver initiated forwarding is a
Stuart> trusted-forwarder list - either public or private. Of
Stuart> course, a forwarder that doesn't check SPF just becomes a
Stuart> spam conduit. But this happens with or without SRS.

Stuart> I do not SRS for forwarding. I use it for MFROM signing
Stuart> to reject forged DSNs from MTAs that do not check SPF.

Stuart> I repeat - SRS is *not* needed for an effective SPF
Stuart> implementation.

Stuart> SRS for forwarding is only needed by forwarders with
Stuart> clueless/powerless clients.

Agreed. Violently. :) However it has not been clear to me how to do
SRS MFROM signing to reject forged DSNs with Postfix.

jam

-------
To unsubscribe, change your address, or temporarily deactivate your subscription,
please go to http://v2.listbox.com/member/?listname=srs-discuss@v2.listbox.com
RE: Re: SRS for postfix ? [ In reply to ]
Blum, Gabriel writes:
> >> SRS for forwarding is only needed by forwarders with
> clueless/powerless clients.
>
> Agree, but unfortunately that's what plenty of big companies are,
> specially those in non-tech industries.

It's not just big companies, nor is it just non-tech people.

Consider a good friend of mine. He builds his own computers and
writes his own software. He even builds his own printed circuit
boards in his basement. It would be extremely hard to label him
"non-tech", yet he hasn't a clue about how email or DNS work.

How email works "behind the curtain" is an obscure and arcane topic of
interest to and understood by very few people. Most of the people who
do not understand it are experts in some other arcane field in which
we on this this list are the clueless idiots. My friend is a physical
chemist with a PhD; he has spent many years designing, building, and
programming electronic laboratory equipment. He probably knows more
than anyone on this list about what goes on inside an integrated
circuit chip. Although he uses email all the time, he just happens
not to care how email works.

If you're going to design a system for email - or for anything else -
the first consideration always has to be that most people are and will
remain clueless about how it works - just as we all are clueless about
how most things we use every day work.

As a forwarder, I use SRS to make sure my users don't have their mail
rejected by SPF, and as a sender and receiver, I use it to avoid
forged bounces. My users shouldn't even have to know I do this. They
are mostly clueless about how mail works, and they should be able to
remain clueless if they prefer and still have working email. The
essence of SRS is that for those of us who do know about email and are
in charge of making it work, SRS helps us keep it working.

--
Dick St.Peters, stpeters@NetHeaven.com

-------
To unsubscribe, change your address, or temporarily deactivate your subscription,
please go to http://v2.listbox.com/member/?listname=srs-discuss@v2.listbox.com
RE: Re: SRS for postfix ? [ In reply to ]
On Fri, 18 Aug 2006, Dick St.Peters wrote:

> Blum, Gabriel writes:
> > >> SRS for forwarding is only needed by forwarders with
> > clueless/powerless clients.
> >
> > Agree, but unfortunately that's what plenty of big companies are,
> > specially those in non-tech industries.
>
> It's not just big companies, nor is it just non-tech people.

... lots of irrelevant stuff about not everyone being an email expert ...

> If you're going to design a system for email - or for anything else -
> the first consideration always has to be that most people are and will
> remain clueless about how it works - just as we all are clueless about
> how most things we use every day work.

The email clueless people who know they are email clueless have no
problem. They don't check SPF and SPF is very friendly to them.

The problem comes when people who ought to know better throw in
some system to reject on SPF fail without configuring for forwarders.

I believe the phrase is "knowing just enough to be dangerous". *Those*
are the clueless idiots I have no sympathy for. The doctors and
car mechanics are not the problem. It is email admins - who ought to
know better - who are guilty of email mal-practice. Not their users.

If it is an end user configured system - then it had better not provide
a reject on fail option unless it also provides some kind of forwarding
configuration.

--
Stuart D. Gathman <stuart@bmsi.com>
Business Management Systems Inc. Phone: 703 591-0911 Fax: 703 591-6154
"Confutatis maledictis, flammis acribus addictis" - background song for
a Microsoft sponsored "Where do you want to go from here?" commercial.

-------
To unsubscribe, change your address, or temporarily deactivate your subscription,
please go to http://v2.listbox.com/member/?listname=srs-discuss@v2.listbox.com