Alex wrote: > On Tue, Oct 6, 2015 at 5:05 PM, Kevin A. McGrail <kmcgr...@pccc.com > <mailto:kmcgr...@pccc.com>> wrote: > The behavior of forwarding content which effectively is the same as > a forgery is where the danger lies... If this is behavior that users > are performing, of course then there needs to be appropriate > reaction but overall, forwarding emails is going to cause issues > with a ton of domains and should be discouraged entirely.
> Can we temper this rule with a check to see if the mail indeed did pass > through a fb server? You're checking the From: header, which can > obviously be easily spoofed, but perhaps if it originated from a > facebook server? Simpler to update trusted_networks, so then *all* mail forwarded from this source will have its "origin" correctly interpreted. I do that here for customers whose domain email is hosted elsewhere, but forwarded to their ISP account with us. The question then becomes, how far do you trust the relay host? If you don't trust them, you *can't* rely on any Received: header other than the one your server added, everything else is suspect and possibly spoofed by definition. If you *do* trust them enough to consider the "Received: from mx-out.facebook.com...." header, why not add the trust path entry? -kgd
