On 5 Jul 2019, at 10:30, David Jones wrote:
On 7/5/19 9:09 AM, Bill Cole wrote:
On 5 Jul 2019, at 9:37, David Jones wrote:
For the sake of others, it would be beneficial if the default
behavior
of X-Relay-Countries changed to the X-Relay-Countries-MSA.
Definitely not for 3.4.3. Preferably not at all. While I agree in
principle with having some way to trust machines as honest without
trusting their authentication systems to be bulletproof, that
shouldn't
involve changing a useful stable feature in a way that will break
reasonable configurations. That change would cause substantial false
positives at some sites if deployed without carefully considered
preparation. It would be a poison pill for packagers who value
stability.
I believe the only change would be the Relay-Countries value would
have
country codes in it.
Yes, which it shouldn't.
It may sound weird, but it is true that I work with 2 mostly unrelated
mail systems where mail comes in via MSAs whose authentication is
trustworthy from end-users who live and/or travel in places that send
those systems very little legitimate mail via untrusted/unauthenticated
sources.
We aren't suggesting changing any other logic so
the ALL_TRUSTED would still hit and RBLs would not be check on
authenticated IPs.
Is your concern the RBL checks on those authenticated IPs?
No. My concern is about changing what is in Relay-Countries.
--
Bill Cole
b...@scconsult.com or billc...@apache.org
(AKA @grumpybozo and many *@billmail.scconsult.com addresses)