ietf-mxcomp
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: Benefits/costs of authorizing different identities

2004-04-03 04:25:51
from [Greg Connor] [Permanent Link] 


On Fri, Apr 02, 2004 at 07:00:57PM -0800, John Gardiner Myers wrote:


They are unauthorized per the explicit policy advertisement made by the
domain holder.  The MTA sending mail with the identity is not on that
domain's list of authorized servers.
I agree with Dave that the term "desired forgery" is contradictory and confuses the meaning. "Forgery" is one type of inappropriate/bad behavior that is (mostly) mitigated by an LMAP system. Other ways that the real, authorized sender might legitimately send mail today, but would be disallowed by LMAP, shouldn't be called forgery. I don't have a "best" suggestion but here are a few... feel free to add more: 
 unexpected source
 remote MTA
 unsupported relay, third-party relay
 out-of-policy


--"Mark C. Langston" <mark(_at_)bitshift(_dot_)org> wrote:

The point I'm getting at in that statement is this:  The choice to add
TXT (or other less-common) RR's to a zone file may be as likely to be
that of the hosting service than the domain holder.  Likewise, the
content of those RR's may well be decided by the hosting service (though
I hold up EasyDNS's recent introduction of SPF TXT RR's as a shining
counter-example:  http://support.easydns.com/tutorials/spf/ ).
That reminds me, there was another point I wanted to mention. Usually we think of LMAP as "a policy that applies to all messages from a certain domain". But, it is actually possible with SPF (using macros) to assert a different policy for each individual user as well. Check out the following example:
example.com. IN TXT "v=spf1 a mx ptr include:%{l}.user-spf.example.com -all" 
gconnor.user-spf.example.com.     IN TXT  "v=spf1 ptr:nekodojo.org"
mark.user-spf.example.com.        IN TXT  "v=spf1 ptr:bitshift.org"
postmaster.user-spf.example.com.  IN TXT  "v=spf1 -all"
*.user-spf.example.com.           IN TXT  "v=spf1 -all"

What does this mean?
1. A little flexibility can be a good thing. It's possible that people will find uses for the technology that nobody on the original team would have thought of.
2. It's possible to design a system where users can type in their own overrides - if an ISP or corporate megalith has enough users, they might want to provide per-user settings. This permits users more flexibility to send, and as a bonus it can also make it harder for one user to forge the name of another user at the same domain. 

--
Greg Connor <gconnor(_at_)nekodojo(_dot_)org>
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: Benefits/costs of authorizing different identities, Mark C. Langston
Next by Date:  Approved Charter for MARID, Andrew Newton
Previous by Thread:  Re: Benefits/costs of authorizing different identities, Mark C. Langston
Next by Thread:  Re: Benefits/costs of authorizing different identities, ned . freed
Indexes:  [Date] [Thread] [Top] [All Lists]