From: John Hardin <jhar...@impsec.org> Date: Tue, 19 Jun 2012 14:44:29 -0700 (PDT) On Tue, 19 Jun 2012, Benny Pedersen wrote: > Den 2012-06-19 22:39, Kevin A. McGrail skrev: > >> I think that's the concept behind the whitelist_from_spf > > but some use whitelist_from, its nothing new there :=) > > can user_in_whitelist be changed to not have -100 as default score, or is > whitelist_from planned for removements ? It's needed for whan none of the other more-strict whitelist options will work, so we can't get just rid of it. True.
I'd suggest instead a lint warning if it is used, alerting the admin that it's discouraged and that it has problems like this and is very easy to spoof. How about creating a different score for whitelist_from that is separate from whitelist_from_rcvd? For example, whitelist_from could trigger USER_IN_SIMPLE_WHITELIST (or some other variation). The description of the test could include warnings about how easy it is to spoof whitelist_from. -jeff
