Developers of Sympa

[address@concealed]

Dick Visser wrote:

> Serge Aumont wrote:
>
> > The From: header is used. We should say for "identification" not for 
> > "authentification" because it's really not a secure information and 
> > the listmaster can decide to use authorization scenario that always 
> > require a stronger authentication.
> >
> > > Or the Envelope-From address?
> > >
> > > And what if they both exist and are different? 
> >
> >
> > The envelope-From is ignored, unless the Return-path header is tested 
> > in scenario (usually not used).
>
>
> So using sympa does not protect me from being spammed as well.

All mailing list server use From: header but Sympa do not trust this 
header in a hard coded way. Sympa scenario allows you to test any header 
in the authorization/authentification processus. So you can request user 
authentication by email chalenge or s/mime signature.

> Would it be difficult to apply SPF checks to the From: header address?
> Since sympa is written in perl you could also use SPF::Query I guess.

SPF is based on remote MTA IP so spf verification MUST be operated by 
the MX of the receiving domain.  Ones the message is relayed inside your 
domain SPF can't be verified anymore. If you are using a milter for 
sendmail on your MX, the  message will be taggued by the milter with a 
specific custom header and this header can be tested by other 
application. Sympa authorization and authentification scenari can do it 
right now because any header can be tested. You probably can do the same 
with postfix, exim, qmail...

DKIM is based on a signature added by the remote MTA. DKIM can be 
checked even after the message was relayed. We allready check DK 
signature on our incomming MTA and Sympa can test to DKIM status on a 
SMTP header. We plans to add a DKIM verification directly in Sympa it 
would become a authentication method in Sympa scenario. DKIM integration 
in mailing srevice is rather complex and need first that DKIM become 
more standard and stable.

Serge