David F. Skoll wrote:
Ponder the security risks of such an implementation.
Like what?
You see no security risks in allowing some random person to set your
valid recipient list using unauthenticated e-mail? (X-Note: Password
is pretty weak authentication and easily sniffed. At the very least,
the e-mail should be PGP-signed and possibly encrypted before being
accepted.)
hmmmm, David, that was a template to create the require email. How it
was sign, sent or deliver is really not the point. Maybe it was signed,
maybe TLS/AUTH was used. Even then I would personally, and still have
more trust in a standard 1 to 1 email transaction, then what you are
proposing. Once received, who knows that the other end did. It is
private mail. So it has weak X-Note? Maybe it is used to confirm the
TLS/AUTH. Who knows? That's there internal issue. Hands down, no
question. The method is already in place is more secure than a public
database proposal.
Lets see, why not use existing user validation LDAP? RADIUS?
Because DNS is widely-implemented, lightweight, scalable, cacheable
and has built-in facilities for replication.
True. RADIUS is pretty fast. LDAP, RADIUS already exist for user
authentication. Even then, you still have to write the protocol, and
get everyone to get on board which will take time. And who is the
customer? The Secondary MX Service Bureau who more than likely has a
system in place?
(NOTE: Devil Advocate here <g>)
>> Correct. That was the goal of the example. The IP input
>> was my address using your address - SPF rejected it
>> as expected.
> No, check the URL in my original e-mail again. I used my IP address.
What you used was:
ip = 209.191.13.82
cdn = [209.191.13.82]
from = dfs(_at_)roaringpenguin(_dot_)com
and SPF reported FAIL which is correct.
The SPF DNS TXT query for roaringpenguin.com is:
v=spf1 a -all
which says:
Query the A record of the domain roaringpenguin.com, which is:
206.191.13.82
and test the IP against the connecting IP 209.191.13.82 (simulated
input). Since it did not match, the hard fail, -all, resulted in a SPF
FAIL.
Change the IP to 206.191.13.82 at the test form or the URL and you will
get a correct pass:
20070502 12:28:01 00006e74 cip : 206.191.13.82
20070502 12:28:01 00006e74 cdn : [206.191.13.82]
20070502 12:28:01 00006e74 from : dfs(_at_)roaringpenguin(_dot_)com
....
20070502 12:28:02 00006e74 sapspf : v=spf1 a -all
20070502 12:28:02 00006e74 sapspf : pass (time:0)
20070502 12:28:02 00006e74 finaltest : SPF GlobalResult=-1
CodeResponse=250
20070502 12:28:02 00006e74 result : accept (-1)
20070502 12:28:02 00006e74 wcsap finish (453 msecs)
But I will still love to see your DNS-VRFY I-D proposal! <g>
I've never done an I-D before. If anyone on the list wants to help
out, please e-mail me off-list.
Here is what most everyone uses with the spiffy XML2RFC outline/editor.
http://xml.resource.org/
With this tool, you would be be create the TXT, HTML and XML.
--
HLS