On Fri, Apr 02, 2004 at 07:00:57PM -0800, John Gardiner Myers wrote:
They are unauthorized per the explicit policy advertisement made by the
domain holder. The MTA sending mail with the identity is not on that
domain's list of authorized servers.
I agree with Dave that the term "desired forgery" is contradictory and
confuses the meaning. "Forgery" is one type of inappropriate/bad behavior
that is (mostly) mitigated by an LMAP system. Other ways that the real,
authorized sender might legitimately send mail today, but would be
disallowed by LMAP, shouldn't be called forgery. I don't have a "best"
suggestion but here are a few... feel free to add more:
unexpected source
remote MTA
unsupported relay, third-party relay
out-of-policy
--"Mark C. Langston" <mark(_at_)bitshift(_dot_)org> wrote:
The point I'm getting at in that statement is this: The choice to add
TXT (or other less-common) RR's to a zone file may be as likely to be
that of the hosting service than the domain holder. Likewise, the
content of those RR's may well be decided by the hosting service (though
I hold up EasyDNS's recent introduction of SPF TXT RR's as a shining
counter-example: http://support.easydns.com/tutorials/spf/ ).
That reminds me, there was another point I wanted to mention. Usually we
think of LMAP as "a policy that applies to all messages from a certain
domain". But, it is actually possible with SPF (using macros) to assert a
different policy for each individual user as well. Check out the following
example:
example.com. IN TXT "v=spf1 a mx ptr include:%{l}.user-spf.example.com
-all"
gconnor.user-spf.example.com. IN TXT "v=spf1 ptr:nekodojo.org"
mark.user-spf.example.com. IN TXT "v=spf1 ptr:bitshift.org"
postmaster.user-spf.example.com. IN TXT "v=spf1 -all"
*.user-spf.example.com. IN TXT "v=spf1 -all"
What does this mean?
1. A little flexibility can be a good thing. It's possible that people
will find uses for the technology that nobody on the original team would
have thought of.
2. It's possible to design a system where users can type in their own
overrides - if an ISP or corporate megalith has enough users, they might
want to provide per-user settings. This permits users more flexibility to
send, and as a bonus it can also make it harder for one user to forge the
name of another user at the same domain.
--
Greg Connor <gconnor(_at_)nekodojo(_dot_)org>