On Tue, 28 Nov 2017 09:18:50 -0500 Bill Cole wrote: > Well, the actual *COMMIT TO TRUNK* > (http://svn.apache.org/viewvc?rev=1816394&view=rev) uses > whitelist_auth for 6 entities, which IMHO is a terrible idea for the > reasons I noted in my prior message.
The original post talked about extending the existing def_whitelist_from_spf entries, so it didn't occur to me that that might have happened . Hopefully it's just a copy and paste error. > Fooling def_whitelist_from_rcvd (given the actual > list) is likely a harder target than finding a permissively-typo'd > SPF record or cracking an account in one of the many domains in the > other two, so I've got no problem with it being as strong as both of > them combined. What I was getting at is that most of the existing entries are only for dkim, so these only get half of the score for dkim+spf or rcvd. There are also some setups where DKIM, SPF and rDNS don't all work correctly. Ordinarily you only need about -4 points to eliminate almost all FPs. But that changes if you are going down the path of whitelisting to mitigate aggressive, local or third-part rules.
