Discussion:
Official SRS support
(too old to reply)
Henno Täht
2011-09-22 15:14:12 UTC
Permalink
Dear list,

We maintain and support an Exchange 2010 server and we recently had an
incident that mails originating from our server were not received by
the receiving party. Investigating this matter revealed that this was
caused by the fact that the receiving party had forwarded his mails to
another domain. But since we implement SPF, which states which IP
addresses are allowed to send mail with our domain in the From field,
and the forwarder does not implement SRS, the destination server saw
the mail to be originating from the forwarder and not from us and thus
refused accepting it.

We asked the forwarder (a mayor player in the country) to implement
We would add SRS support if Postfix started to support SRS officially.
At the moment there is only unofficial hack available (to old postfix) and
we would not want to use such a solution.
Gentlemen, you if anyone can shine some authorative light on this
matter: what is the outlook of Postfix getting an official SRS
support? Is it completely in vain to hope for it?

Best regards,
Henno Täht
technical consultant
Diara OÜ
Heiko Wundram
2011-09-22 15:22:32 UTC
Permalink
Post by Henno Täht
Gentlemen, you if anyone can shine some authorative light on this
matter: what is the outlook of Postfix getting an official SRS
support? Is it completely in vain to hope for it?
I'm currently working on a milter to add SRS-support (also) for Postfix
because of having the same problem(s); see the discussion on
postfix-users from a week ago or so. It should be ready on a week or so
when I find the time to work on it separate from my dayjob.
--
--- Heiko.
Wietse Venema
2011-09-22 15:35:33 UTC
Permalink
Post by Henno Täht
Gentlemen, you if anyone can shine some authorative light on this
matter: what is the outlook of Postfix getting an official SRS
support? Is it completely in vain to hope for it?
For the forseeable future, authentication protocols such as DKIM
etc. shall be implemented with plugins (policy or milter).

Wietse
Henno Täht
2011-09-22 15:41:13 UTC
Permalink
Post by Wietse Venema
For the forseeable future, authentication protocols such as DKIM
etc. shall be implemented with plugins (policy or milter).
Okay. I found Add-ons page on www.postfix.org but only SPF support was there
without complementing SRS support.

I did, however, notice this:

"Note: Postfix already ships with SPF support, in the form of a plug-in
policy daemon. This is the preferred integration model, at least until SPF
is mandated by standards."

What do you think about shipping SRS along with SPF (once Heiko finishes his
work). Those two should go hand-in-hand in my view. No?

Henno
Heiko Wundram
2011-09-22 15:55:47 UTC
Permalink
Post by Henno Täht
"Note: Postfix already ships with SPF support, in the form of a plug-in
policy daemon. This is the preferred integration model, at least until SPF
is mandated by standards."
Policy daemons can't change Sender/Recipient addresses, but that's
required for SRS. This means that Policy Daemons can't implement SRS,
but rather only SPF (which only makes a "decision" about a mail).
--
--- Heiko.
Wietse Venema
2011-09-22 18:44:11 UTC
Permalink
Post by Henno Täht
What do you think about shipping SRS along with SPF (once Heiko finishes his
work). Those two should go hand-in-hand in my view. No?
They can go hand-in-hand elsewhere.

I'll be glad to link postfix.org pages to third-party plugin
implementations, but I have no time to adopt and maintain them.

The greylist and SPF scripts are for demonstration purposes. They
illustrate that their functionality can be (and therefore should
be) implemented with third-party plugins.

Wietse
Henno Täht
2011-09-22 20:49:29 UTC
Permalink
Post by Wietse Venema
I'll be glad to link postfix.org pages to third-party plugin
implementations, but I have no time to adopt and maintain them.
The greylist and SPF scripts are for demonstration purposes. They
illustrate that their functionality can be (and therefore should
be) implemented with third-party plugins.
Is it reasonable to assume that most third party plugins survive version
upgrades? That's what I suspect the forwarder is seeking and why they call
3rd party plug-ins 'hacks'.

Henno
Noel Jones
2011-09-23 04:21:23 UTC
Permalink
Post by Henno Täht
Is it reasonable to assume that most third party plugins survive
version upgrades?
With the documented postfix third-party interfaces -- policy
service, milter, smtp proxy, content filter, TCP tables, other stuff
-- care is taken to maintain compatibility between versions even as
features are added.

Care is also taken to document the expected data exchange format,
and to document any changes introduced by software evolution.

As a result of this time consuming design and testing process, the
vast majority of third party plugins will work with their designed
version of postfix and later.
Post by Henno Täht
That's what I suspect the forwarder is seeking and
why they call 3rd party plug-ins 'hacks'.
The original poster is apparently referring to a very old third
party postfix source code patch attempting to implement libsrs.
IIRC the patch was never stable nor functional at a production
level, and never widely used. In general, source patches become
less usable as the base software evolves. I don't know the status
of this particular patch, but I would be surprised if it can be used
with current postfix without major surgery.
Calling it a hack seems appropriate.


-- Noel Jones
Thomas Goirand
2011-09-24 11:51:17 UTC
Permalink
Post by Henno Täht
What do you think about shipping SRS along with SPF (once Heiko finishes
his work). Those two should go hand-in-hand in my view. No?
Henno
Right, but the issue remains: if some forwarders that *you do not
control* are failing to implement SRS, you're dead anyway. SPF is bad by
design, and DKIM is much much better, as Wietse Venema pointed out.

For example, I have a zigo at debian email, which is only a forwarder. I
do not control the forwarder at debian.org, and people often send me
email to that address. Unfortunately, when someone has SPF fields, the
mail never reaches me, since debian doesn't implement SRS. I really
doubt that any DAM will want to implement SRS: I'm almost sure that they
will tell me that SPF sux because of the above (the forwarder, which
might not be doing SPF filtering, and which you don't control, might not
support SRS, which leads to issues you will never be able to solve). And
I would agree that this fact sux.

DKIM doens't suffer from such issues.

Cheers,

Thomas

Loading...