spf-discuss
[Top] [All Lists]

Re: The .forward problem

2003-10-07 12:23:47
Meng Weng Wong <mengwong(_at_)dumbo(_dot_)pobox(_dot_)com> writes:
Solution 2: per-recipient custom whitelisting.

  This solution was suggested by Ted Cabeen.

  We can assume gamma(_at_)hp(_dot_)com knows that beta(_at_)pobox(_dot_)com 
is forwarding to
  him.

  If he wants to get beta(_at_)pobox(_dot_)com mail, he can tell HP's MTA "if 
you
  get mail for me, if it comes from pobox.com's servers, let it
  through."  So hp.com's MTA would have to do two sets of SPF checks:
  one on the envelope sender domain, and another on the domains
  specified by the user.  In this case, gamma(_at_)hp(_dot_)com would tell 
HP.com's
  MTA to also SPF-allow pobox.com.

  This assumes pobox.com publishes SPF.  If pobox.com does not publish
  SPF, HP's MTA would return "unknown" and it would have to accept the
  mail.

We don't necessarily need per-user whitelisting here.  We can do it on
a larger scale, but there would need to be some accountability for it.
For example, the hp.com admin could have a whitelist that lists the
entire pobox.com domain as okay for forwarding, since pobox.com is a
trustworthy source.  Theoretically, hp could do whitelisting for all
of the forwarding services that their users use.  However, in such a
system, we'd probably want to also create DNS-based whitelists that
list all reputable mailing-list and forwarding services that use SPF
to reduce the workload on the SPF-enabled server admins.  Perhaps in
order to get on such a list, the forwarder owner would have to
register directly with the whitelist so that email abuse through the
forwarding system could be tracked.  This sort of thing would also fix
the mailing list problem, as they could register with the whitelists
as well.

-- 
Ted Cabeen           http://www.pobox.com/~secabeen            
ted(_at_)impulse(_dot_)net 
Check Website or Keyserver for PGP/GPG Key BA0349D2         
secabeen(_at_)pobox(_dot_)com
"I have taken all knowledge to be my province." -F. Bacon  
secabeen(_at_)cabeen(_dot_)org
"Human kind cannot bear very much reality."-T.S.Eliot        
cabeen(_at_)netcom(_dot_)com

-------
Sender Permitted From: http://spf.pobox.com/
Archives at http://archives.listbox.com/spf-discuss/current/
To unsubscribe, change your address, or temporarily deactivate your 
subscription, 
please go to 
http://v2.listbox.com/member/?listname(_at_)©#«Mo\¯HÝÜîU;±¤Ö¤Íµø?¡