Meng Weng Wong <mengwong(_at_)dumbo(_dot_)pobox(_dot_)com> writes:
Solution 2: per-recipient custom whitelisting.
This solution was suggested by Ted Cabeen.
We can assume gamma(_at_)hp(_dot_)com knows that beta(_at_)pobox(_dot_)com
is forwarding to
him.
If he wants to get beta(_at_)pobox(_dot_)com mail, he can tell HP's MTA "if
you
get mail for me, if it comes from pobox.com's servers, let it
through." So hp.com's MTA would have to do two sets of SPF checks:
one on the envelope sender domain, and another on the domains
specified by the user. In this case, gamma(_at_)hp(_dot_)com would tell
HP.com's
MTA to also SPF-allow pobox.com.
This assumes pobox.com publishes SPF. If pobox.com does not publish
SPF, HP's MTA would return "unknown" and it would have to accept the
mail.
We don't necessarily need per-user whitelisting here. We can do it on
a larger scale, but there would need to be some accountability for it.
For example, the hp.com admin could have a whitelist that lists the
entire pobox.com domain as okay for forwarding, since pobox.com is a
trustworthy source. Theoretically, hp could do whitelisting for all
of the forwarding services that their users use. However, in such a
system, we'd probably want to also create DNS-based whitelists that
list all reputable mailing-list and forwarding services that use SPF
to reduce the workload on the SPF-enabled server admins. Perhaps in
order to get on such a list, the forwarder owner would have to
register directly with the whitelist so that email abuse through the
forwarding system could be tracked. This sort of thing would also fix
the mailing list problem, as they could register with the whitelists
as well.
--
Ted Cabeen http://www.pobox.com/~secabeen
ted(_at_)impulse(_dot_)net
Check Website or Keyserver for PGP/GPG Key BA0349D2
secabeen(_at_)pobox(_dot_)com
"I have taken all knowledge to be my province." -F. Bacon
secabeen(_at_)cabeen(_dot_)org
"Human kind cannot bear very much reality."-T.S.Eliot
cabeen(_at_)netcom(_dot_)com
-------
Sender Permitted From: http://spf.pobox.com/
Archives at http://archives.listbox.com/spf-discuss/current/
To unsubscribe, change your address, or temporarily deactivate your
subscription,
please go to
http://v2.listbox.com/member/?listname(_at_)©#«Mo\¯HÝÜîU;±¤Ö¤Íµø?¡