configuration error in lists.isc.org

Reindl Harald h.reindl at thelounge.net
Mon Aug 10 22:12:01 UTC 2015 

truncated the long, hard to understand and unrelated stuff....

Am 10.08.2015 um 23:49 schrieb Lawrence K. Chen, P.Eng.:
>> that above is pure nonsense - your DOMAIN has either a strict SPF
>> policy -
>> or a testing policy ~ and no mix of both
>>
>> ~ means "testing, please don't reject if it don't pass" and *nothing*
>> with
>> good or bad IP's - from the moment on you have a ~ you don't enforce
>> SPF for
>> *anybody* - bad enough that this topic appeared at all but much more bad
>> that so many people setup SPF without understand it
>>
> Except there are people that feel a strict black and white policy is too
> limiting.

well, when you can't say from where you send mail you should refrain 
from setup SPF at all

> Especially when the IPs are a shared resource of the service provider
> where this little to stop another customer from pretending to be us
> (just as there was nothing for us to pretend to be

the shared ressource don't enforce SMTP authentication?

> .... or permit a
> visiting research to continue to send with his email address but through
> our servers....)

this has *nothing* to do with *your* SPF policy

your SPF record has nothing to do with foreign envelope-senders just 
because it says "these are allowed servers for my envelope domain" and
nothing else

> When suddenly they setup an SPF and rejected mail from us, with lots of
> angry messages and calls that its my job to fix it so it'll work again.

in that case it has to be ruled out if you made a mistake by not include 
all your sending servers in your SPF

> As the apparently lots of different universities have been originating
> mail this way for years and years.  And, they need to continue to do so,
> as the application can't do any authentication for sending....(since it
> had always worked....)

that's a lame excuse and finally means "don't setup SPF/DMARC at all if
you have no clue who is sending from where with what enevlopes"

"since it has always worked" is a bad attitude - you enforce policies or 
just don't touch them at all


-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 181 bytes
Desc: OpenPGP digital signature
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20150811/d5e1ffd6/attachment.bin>

More information about the bind-users mailing list