On Fri, Oct 10, 2003 at 10:49:27PM -0500, wayne wrote:
|
| > 2.4.x LocalPart
| >
| > the LocalPart specification is EXPERIMENTAL and may be defined
| > in future RFCs.
|
| If it isn't defined in the current RFC, I think this option should be
| dropped.
|
We need to let individual users opt out of the system; symmetrically, we
need a way for SPF to be disabled by default but let individual users
opt in.
In most cases, the LocalPart directive will be absent, which means SPF
protection is enabled for the entire domain.
If a roaming user (bob(_at_)example(_dot_)com) wishes to be able to use any SMTP
server at all, example.com can publish a LocalPart directive.
When SPF clients see a LocalPart directive, they launch further queries
which are specific to bob.
Bob may want to send mail as bob+foo(_at_)example(_dot_)com, so the query has
to be
flexible.
The result of the query should be another set of directives. This set
overrides the original set.
But how do we do the localpart query? Can you think of a scheme?
(Spoilers below. If this problem interests you, don't be tainted by my
ideas; you can probably do better.)
Suppose the initial policy._smtp_client.example.com response is
"v=spf1 a mx ptr LocalPart:rlp=+- default=deny"
If any of the (a,mx,ptr) mechanisms result in a hit, the localpart
mechanism is not consulted. This is the usual short-circuiting.
If none of them get a hit, we turn to the LocalPart before defaulting to deny.
Taking "rlp=+-" into consideration, we rewrite the sender
bob+foo(_at_)example(_dot_)com
into this query:
foo.bob.policy._smtp_local.example.com
That query could return a response of
"v=spf1 default=allow" or
"v=spf1 a:bob-at-home.org default=softdeny"
Or it could even define another LocalPart lookup, to a maximum depth of
6 or so.
Now, we know that one-size-fits-all results in bruised toes.
We will probably have to support a variety of queries.
"rlp" stands for reversed-localpart. The RHS of the = sign indicates
delimiters for the reversal.
Examples:
LocalPart=rlp=+- bob+foo-bar(_at_)example(_dot_)com
bar.foo.bob.policy._smtp_local.example.com
LocalPart=rlp=+ bob+foo-bar(_at_)example(_dot_)com
foo-bar.bob.policy._smtp_local.example.com
LocalPart=rlp bob+foo-bar(_at_)example(_dot_)com
bob+foo-bar.policy._smtp_local.example.com
LocalPart=rlp bob(_dot_)foo(_dot_)bar(_at_)example(_dot_)com
bob.foo.bar.policy._smtp_local.example.com
LocalPart=rlp=. bob(_dot_)foo(_dot_)bar(_at_)example(_dot_)com
bar.foo.bob.policy._smtp_local.example.com
LocalPart=rlp=+ tm.o'reilly(_at_)example(_dot_)com
tm.o'reilly.policy._smtp_local.example.com
(Aside: I know the inclusion of ' in a DNS label will upset many people.
They will cry RFC952: a "text string up to 24 characters drawn from the
alphabet (A-Z), digits (0-9), minus sign (-), and period (.)."
And they are right. But the above entries are not host names; they are
labels. See RFC2181 section 11 and RFC1123 section 6.1.3.5.)
Any thoughts?
-------
Sender Permitted From: http://spf.pobox.com/
Archives at http://archives.listbox.com/spf-discuss/current/
To unsubscribe, change your address, or temporarily deactivate your
subscription,
please go to
http://v2.listbox.com/member/?listname(_at_)©#�«Mo\¯HÝÜîU;±¤Ö¤Íµø�?¡