"Mark C. Langston" opined:
On Sun, Sep 19, 2004 at 10:57:22AM +0100, Chris Haynes wrote:
"Alan DeKok" replied:
It's not the MAIL FROM which is flawed, it's the ability of the
recipient to believe the senders trust in the shared MTA, as anything
other than a statement of faith made by the vender.
Ah! Now here we can agree. We may differ as to _whose_ trust is broken, but
the
crucial point is that a shared MTA is being trusted to have ensured that the
sender is authorised to use the Mail-From. There is no indication in the
SMTP
protocol, or in the message headers, that this authorisation is actually
taking
place.
But with SPF, the trust you're being asked to place is not whether the
sender is authorized to use that MAIL FROM:; it's whether the entity
connecting to your MTA (the destination MTA, presumably) is one
associated with the MAIL FROM: RHS. It's a somewhat subtle, but
important, distinction.
I beg to differ.
SPF can check the whole of the MAIL-FROM address, not just the RHS. You can
construct policies which use the macro function to insert the LHS into a further
look-up - thus giving a policy which is user-specific, not just domain-specific.
A 'trusted' shared MTA must prevent cross-customer forgery to at least the level
of granualarity of the corresponding SPF policy. So, to be _sure_ of providing
the level of trust required in offering the message it must, I think, ensure
that the whole Mail-From address LHS(_at_)RHS may be used by whatever entity is
asking it to send the message.
My language "sender is authorised to use..." relates to the tests which a
trusted MTA server needs to undertake internally to discharge the trust that is
placed in it, not to the semantics of the SPF test itself.
Chris Haynes