Mailing List Archive

sendmail srs/SRS-socketmap
Hi

I have been looking for a SRS implimentaton to use with sendmail.

I Like the concept of sendmail.srs especially in in its SRS-socketmap form.

It looks like an elegant solution.

Having read through the notes on the site
http://srs-socketmap.info/index.html

I find myself with a couple of outstanding questions that a quick look
at the code has not answered.

Where a server is the MSA for multiple domains, will it still work?
I am thinking that it will send with the envelope from address set to
the domain you set fwdomain too.

Now as long as this is one of our local domains any reply
will come back to us and be unpacked.

What is bothering me is that I have at leased 1 server that sends mail
from several domains with different SPF records, each domain has a
different set of servers listedi, though the server in question appears
in all sets.

If SRS signing changes the domain how will this affect SPF checking.
I am thinking that the recipient will check on the rewritten domain and
as long as the server is listed in the SPF record for that domain,
all will be well.

In several places discussing SRS they have talked about, using it with a
list of secrets, where the signing uses the first secret in the current
list, but the reversal process will work if any match.

Given the sometimes lengthy period before replies come back, if you
change the secret used for outbound messages you probably want to accept
replies based on the old secret for at leased a fortnight.

It may be my lack of experience with perl but looking at the code for
srs-socketmap it looks like you can only set a single secret with the line
my $secret = 'whateverfloatsyourboat';

Does anyone have any sugestion or experience of using SRS with using
this or any other implimantations with sendmail?


Yours hopefully

J. David Rye





*************************************************************************
This e-mail is confidential and may be legally privileged. It is intended
solely for the use of the individual(s) to whom it is addressed. Any
content in this message is not necessarily a view or statement from Road
Tech Computer Systems Limited but is that of the individual sender. If
you are not the intended recipient, be advised that you have received
this e-mail in error and that any use, dissemination, forwarding,
printing, or copying of this e-mail is strictly prohibited. We use
reasonable endeavours to virus scan all e-mails leaving the company but
no warranty is given that this e-mail and any attachments are virus free.
You should undertake your own virus checking. The right to monitor e-mail
communications through our networks is reserved by us

Road Tech Computer Systems Ltd. Shenley Hall, Rectory Lane, Shenley,
Radlett, Hertfordshire, WD7 9AN. - VAT Registration No GB 449 3582 17
Registered in England No: 02017435, Registered Address: Charter Court,
Midland Road, Hemel Hempstead, Hertfordshire, HP2 5GE.
*************************************************************************

-------------------------------------------
Sender Policy Framework: http://www.openspf.org
Modify Your Subscription: http://www.listbox.com/member/
Archives: http://www.listbox.com/member/archive/1129/=now
RSS Feed: http://www.listbox.com/member/archive/rss/1129/
Powered by Listbox: http://www.listbox.com
Re: sendmail srs/SRS-socketmap [ In reply to ]
On Sat, 26 Apr 2008, J. David Rye of Roadtech wrote:

> Does anyone have any sugestion or experience of using SRS with using
> this or any other implimantations with sendmail?

You can try my python pysrs package for sendmail.

http://bmsi.com/python/pysrs.html

I use it with pymilter, but sendmail can reject unsigned bounces on its own
also, although I forget the exact config. It is so much easier to do
everything through the milter API.

sendmail-8.14 supports changing MFROM via milter API, so a socketmap
with associated crufty cf macros is no longer needed.

--
Stuart D. Gathman <stuart@bmsi.com>
Business Management Systems Inc. Phone: 703 591-0911 Fax: 703 591-6154
"Confutatis maledictis, flammis acribus addictis" - background song for
a Microsoft sponsored "Where do you want to go from here?" commercial.

-------------------------------------------
Sender Policy Framework: http://www.openspf.org
Modify Your Subscription: http://www.listbox.com/member/
Archives: http://www.listbox.com/member/archive/1129/=now
RSS Feed: http://www.listbox.com/member/archive/rss/1129/
Powered by Listbox: http://www.listbox.com
Re: sendmail srs/SRS-socketmap [ In reply to ]
On Sat, 26 Apr 2008, J. David Rye of Roadtech wrote:

> What is bothering me is that I have at leased 1 server that sends mail
> from several domains with different SPF records, each domain has a
> different set of servers listedi, though the server in question appears
> in all sets.
>
> If SRS signing changes the domain how will this affect SPF checking.
> I am thinking that the recipient will check on the rewritten domain and
> as long as the server is listed in the SPF record for that domain,
> all will be well.

That is correct. As long as the rewritten domain passes SPF and the
MX servers for that domain are prepared to check and remove the signature,
you are good. My pysrs config for one mail server follows:

[srs]
secret = don't you wish
maxage = 8
hashlength = 5
;database=/var/log/milter/srsdata
fwdomain = bmsi.com
sign=bmsi.com,mail.bmsi.com,gathman.org
srs=bmsaix.bmsi.com,bmsred.bmsi.com,stl.gathman.org,bampa.gathman.org,fairfax.gathman.org,freightfacts.com,airpex.com

When actually forwarding, it uses 'fwdomain'. The domains listed in
'sign' are signed without duplicating the domain. An example would
look like: <SRS0=BMCmn=VL==stuart@bmsi.com>.

The domains in 'srs' (in addition to 'sign' and 'fwdomain') require a valid
signature on incoming bounces, or they are rejected. This can be
other mailservers that are using us for an MX (and share the secret).

Pysrs currently has just one secret at a time, but having a list
is trivial to add. I'll do it if you need it.
What is really needed in a more commercial setting is having a
list of secrets for every domain we MX/SRS (so that clients don't have to
share the srs secret with each other). Not to mention a more secure
way to store the secrets than directly in the config file.

--
Stuart D. Gathman <stuart@bmsi.com>
Business Management Systems Inc. Phone: 703 591-0911 Fax: 703 591-6154
"Confutatis maledictis, flammis acribus addictis" - background song for
a Microsoft sponsored "Where do you want to go from here?" commercial.

-------------------------------------------
Sender Policy Framework: http://www.openspf.org
Modify Your Subscription: http://www.listbox.com/member/
Archives: http://www.listbox.com/member/archive/1129/=now
RSS Feed: http://www.listbox.com/member/archive/rss/1129/
Powered by Listbox: http://www.listbox.com