spf-discuss
[Top] [All Lists]

Re: is there a better solution than sender rewriting?

2003-10-06 12:19:03
Meng Weng Wong wrote:

Sender rewriting sucks.  If there's a better solution, I'm all for it.

I assume that most of your difficulties stem from the forwarding problem.  
I have a few forwarder accounts on my own system for some of my friends.  
They will eventually have problem getting mail, since 65.64.162.194 is not 
a valid sender for all of the domains which mail them.

Since SPF is something that involves changes on the receiving end and not 
the forwarder, why not specify something that should be installed at the 
same time?  That is, when you install SPF, you'd better give your users 
some way to whitelist specific recipient e-mail addresses, or it's not 
going to work.

Here's the idea.  First, some background:

 - The account on my server is friend(_at_)example(_dot_)exploits(_dot_)org
 - It currently forwards to friend(_at_)isp(_dot_)example(_dot_)com

For my case, he could just whitelist the IP address of my server.  It's a 
hack, but it would work, since this is the only box who would ever mail 
him, and nobody on my system is going to spam him.

I realize there are many cases where this won't work, whether for 
technical reasons for idealogical ones.  Maybe you don't like whitelisting 
entire hosts, or you don't want everyone on those hosts to be able to mail 
you.  For this, you do something different.

Instead of forwarding to friend(_at_)isp(_dot_)example(_dot_)com, I set it to 
forward to 
friend-secret(_at_)isp(_dot_)example(_dot_)com or 
friend+secret(_at_)isp(_dot_)example(_dot_)com (depending 
on the MTA involved), or maybe some third account which is aliased to 
him.  He then whitelists that specific envelope recipient, and his ISP 
will disregard the SPF mismatch when mail arrives for it.

Yes, someone could mail that and spam him, but that's why it's called a 
secret.  It would have to be leaked by me or by him first.  I suppose it 
could show up in the mail headers, and someone could see it if he ever 
showed someone a complete raw message.

I realize this means changing the mail software at the recipient, but 
you're having to do that anyway to add SPF.  Nothing changes on the 
forwarding/sending hosts, which means you don't need any rewriting hacks, 
and they don't need any new software.

I welcome comments.  Feel free to rip this apart if you spot a hole.

-------
Sender Permitted From: http://spf.pobox.com/
Archives at http://archives.listbox.com/spf-discuss/current/
To unsubscribe, change your address, or temporarily deactivate your 
subscription, 
please go to 
http://v2.listbox.com/member/?listname(_at_)©#«Mo\¯HÝÜîU;±¤Ö¤Íµø?¡


<Prev in Thread] Current Thread [Next in Thread>