|
|
Our spf record ends with -all, and we run with "verify return-path for: everybody" and "check spf records: enabled", and CNN's servers certainly aren't in our spf record :-)
So mail from mjstraw@iup.edu to mjstraw@iup.edu originating from a CNN server would fail both auth and spf checks. I forget which happens first.
Mark
On 1/10/2012 9:03 AM, Mark J Strawcutter wrote:
What Nicolas said :-)
We run with "force smtp auth for = everybody" and run into this
periodically. No barracuda box or the like in front of CGP. News
services like CNN and Washington Post are common culprits.
The service (CNN) is broken. We explain to affected users that to allow
such mail would potentially result in spoofed/impersonated mail from
other sources and/or increased spam.
We instruct the very few that still object to contact the sender (CNN)
or use a gmail etc account to receive the material.
Mark
On 1/4/2012 8:05 PM, Nicolas Hatier wrote:
Well-behaving subscription services don't use the user's email as
return-path. The From header is usually not an issue, but using the
user's email in the MAIL FROM smtp command is, in fact, impersonating,
and while I'm not sure it's against any RFC, it's not "playing nice".
I know this doesn't fix your issue now, but your configuration is OK,
CNN configuration is wrong.
*Nicolas Hatier, ing.* <nicolas.hatier@niversoft.com
<mailto:nicolas.hatier@niversoft.com>>
Niversoft idées logicielles - http://www.niversoft.com
On 2012-01-04 14:35, Todd Clayton wrote:
Hello,
Hopefully I am going to explain this clearly...
Here is some background information:
1. The mail server users are all remote/mobile.
2. There is a barracuda spam filter sitting in front of the mail
server. So, the mail server sees all incoming mail as coming from the
barracuda and not as the end-user IP.
3. I only allow authenticated users relay mail through the server
since if I allowed local client IP's and all mail comes from the
barracuda IP, all mail will be allowed to be relayed if I understand
it correctly.
This configuration works fine for everything except when users
received mail that is sent from an address on the server itself from a
3rd-party site. So, for example, if my email address is todd@mail.com
(in this scenario mail.com is my mail server). Bob goes to CNN and
wants to notify me of an article and enters bob@mail.com. When CNN
sends the mail to the server, it sets the from address as
bob@mail.com. So, my mail server rejects the mail with the message
that it requires authentication.
Is there a way to allow mail sent to local email addresses from other
local email message to be delivered without requiring authentication?
I apologize if this has been addressed before. Any thoughts would be
appreciated.
Thanks,
Todd
#############################################################
This message is sent to you because you are subscribed to
the mailing list <CGatePro@mail.stalker.com>.
To unsubscribe, E-mail to: <CGatePro-off@mail.stalker.com>
To switch to the DIGEST mode, E-mail to <CGatePro-digest@mail.stalker.com>
To switch to the INDEX mode, E-mail to <CGatePro-index@mail.stalker.com>
Send administrative queries to <CGatePro-request@mail.stalker.com>
|
|