[Mimedefang] md_check_against_smtp_server and md_graphdefang_log

[kd6lvw at yahoo.com]

--- On Tue, 3/26/13, David F. Skoll <dfs at roaringpenguin.com> wrote:
> ... [snipped]
> 
> SPF is completely useless in the following sense: Rejecting mail because
> of SPF "fail" will absolutely cause valid mail to be rejected.  You (and I)
> may say "Tough luck for domains that publish broken SPF records", but for
> some reason our customers don't see it that way.

Broken SPF records do not generate a "fail" response.  They generate an "error" response (one of two types).  Either way, you seem to be saying that LEGITIMATE errors should not be sent back, and I must disagree with such.  Only DSN errors from spoofing should be suppressed.

I do say "tough luck" for otherwise valid mail rejected by an SPF fail.  If the administrator tells my server that the mail is not authorized (when it actually is valid), how is that my server's problem?  My server was told the mail is bogus so it was refused.  Not my problem.

 
> Because it is not practical to reject messages because of SPF fail,

I regularly reject SPF failure messages directly at the SMTP "MAIL FROM" stage.  Per my own logs, it was clear that all such attempts were clearly spoofed mail (e.g. country of origin didn't match location of domain used, etc.,...).

> you have no choice but to guard against backscatter.  And while an
> LDAP or other form of directory lookup is the superior approach,
> real-world constraints often limit you to using an SMTP call-forward.

As I deny all mail that fails security checks (SPF, DKIM, PGP, virus, spam, etc.) during the SMTP transaction, I guard against backscatter just fine by never accepting responsibility for the bad mail in the first place via rejection during SMTP.
 
> > In my opinion, a message with other than an SPF fail is a candidate
> > for a DSN, although I always reject during the SMTP transaction when
> > possible.  If a domain or hostname manager has not chosen to protect
> > his message source with SPF, that's his problem - because he's
> > effectively saying that he doesn't care about receiving backscatter
> > (or with SPF softfail, wants it), or is too ignorant on how to
> > properly run a mail server and needs a lesson.
> 
> That may well be your opinion, but that's because you don't have
> paying customers who rely on you to relay their mail.  It's very easy
> to be cavalier with your own email; not so easy with tens of thousands
> of end-users.

I pay for my own mail by use of the bandwidth I pay for, and I have users other than just me in my domains.  They don't participate here.  "Being liberal in what one accepts" means getting spammed.  I find that legitimate mail generally follows all the rules and formats and gets through just fine.  A standard is an ENFORCED set of specifications and if I choose to enforce it more tightly than others, too bad for them when they don't comply.