[Greylist-users] Postfix?
Bob Apthorpe
apthorpe at cynistar.net
Tue Mar 2 07:41:21 PST 2004
On Tue, 02 Mar 2004 10:06:57 -0500 chris at chrisbaker.net wrote:
> > I'm using it and works fine. I recommend you that you first setup SPF
> > records for your domain and SPF check in postfix (which is another
> > policy server perl script and works fine).
>
> I'm not sure what this is or how this works.
>
> > http://spf.pobox.com
SPF = "Sender Policy Framework" = one of several competing
designated-sender protocols. It's often mistaken as an anti-spam
technique; rather, it's more for helping others detect forgeries. By
making forgery detection easier, mail admins can comfortably drop more
mail before the SMTP DATA phase, pushing spammers to using their own
domain names (or those without published SPF records.) It's not a
panacea (it breaks email forwarding which arguably broken already) but
it does increase accountability and it's trivial to set up.
Try
nslookup -q=TXT cynistar.net
or
dig cynistar.net TXT
and you'll get
cynistar.net. 3H IN TXT "v=spf1 mx -all"
which basically tells the world that any mail claiming to be from
cynistar.net that doesn't come from a cynistar.net MX is a forgery.
Contrast this with Microsoft's broken Caller-ID protocol which does
effectively the same thing except a) you need to extract info from the
message headers, meaning you can't reject mail before the DATA phase,
and b) the records are XML stuffed in DNS. This is bad for two reasons:
First, the overhead of XML means the response probably won't fit in a
UDP packet, meaning DNS responses must be done over TCP, breaking DNS.
Second, no doubt Microsoft will keep the XML DTD proprietary to prevent
open implementations, following their Office XML DTD model.
-- Bob
More information about the Greylist-users
mailing list