[Top] [All Lists]

Re: SPF I-D for review: draft-schlitt-spf-classic-00.txt

2005-03-04 07:25:14

Well, current SMTP specifications allow for anyone to use any domain in either the rfc2821 identities, or any place in rfc2822. All authentication schemes intend to change that.

AFAIK, none of SSL, TLS, or SMTP AUTH make any such change.

well, it depends on what you mean by "being able to use any domain"

Well, that was Wayne's comment. From my perspective (as a mobile user (i.e. connecting via an unpredictable IP address) with need to use only a few domain names) I'd phrase the issue as "being able to use any IP address"; and that's where SPF utterly fails.

or to put it another way, SPF is not applicable to that case.

To be precise, I mean that when sending mail, I need to specify a mailbox in the return path which uses my ISP's domain name (because that (my mailbox) is where legitimate bounces should go) and likewise in the From and/or Reply-To and/or Sender fields of the message header -- regardless of my IP address, and regardless of the ISP that I happen to be sending the message(s) via, if I use an ISP's SMTP relay, and regardless of whether I choose to use such a relay (e.g. to store a single copy of a message for distribution to multiple recipients) or to directly connect to the designated MX host(s) for the message recipient(s).

entirely agree. and a number of ISPs and networks are blocking outbound access to port 25, thus forcing their users to send outgoing mail via their SMTP servers (they may permit use of another network's submission server on port 587).

And SMTP AUTH provides for SMTP session authentication independent of transport layer security, and without imposing unreasonable restrictions on IP address or domain name.

then again, in most cases, SMTP AUTH does nothing to authenticate the message originator to an intermediate MTA or recipient. it can authenticate one MTA to another, or it can authenticate an originator to his message submission agent, but it doesn't do much to address the problem of an MTA or recipient that wants to avoid handling unauthorized mail. so SMTP AUTH is really not comparable to the authentication schemes Wayne was referring to. SMTP AUTH was mostly intended to allow servers to accept outgoing mail without being open relays.

what might be useful is for an MSA to use SMTP AUTH to establish credentials of an originator, and then use that to add headers to a message authenticating that message as being from that originator. (though you need some way for the originator to defeat that in case he wants to be anonymous)


<Prev in Thread] Current Thread [Next in Thread>