Russell Kroll <rkroll(_at_)exploits(_dot_)org>:
There must be some other ways to convey the same data which don't rely on
DNS. How about a text-based protocol like SMTP that sends the various
details to a designated server which then approves or rejects the request?
You could use a SRV record to specify which host(s) run the server.
I'm talking about something really simple here, along the lines of this
(someone on 1.2.3.4 is trying to send mail as
bogus(_at_)example(_dot_)exploits(_dot_)org):
S: auth.exploits.org server saying hello
C: MODE SMTP
S: -HOST
S: -FROM
S: Mode set to SMTP
C: SET HOST 1.2.3.4
S: Value accepted for HOST
C: SET FROM bogus(_at_)example(_dot_)exploits(_dot_)org
S: Value accepted for FROM
C: DECIDE
S: DENIED TTL=86400
Imagine the usual 2xx/5xx result codes in front of those server responses.
You left out the
S: .
after the "Mode set to SMTP" line. :-)
This method allows expansion by adding more possible "SET" values in the
future. It could support PGP keys, some kind of one-time passphrase
scheme, or whatever.
A daemon to handle these requests isn't hard to write. Most of the
complexity comes from implementing your own policy. If your policy is
simple like mine - one valid sender IP address for the whole domain -
then the code is trivial.
Is it really worth the trouble of trying to make this fit into DNS?
I think this is an intelligent question to be raising. Now let me ask
the next one: is there any reason this shouldn't be an SMTP extension?
That is, why shouldn't I be able to do this:
telnet example.exploits.org 25
Trying 192.168.1.31...
Connected to example.exploits.org
Escape character is '^]'.
C: 220 example.exploits.org ESMTP Sendmail XXX/YYY; Sun, 19 Oct 2003 23:19:26
S: EHLO snark.thyrsus.com
C: 250-example.exploits.org Hello snark [192.168.1.11], pleased to meet you
C: 250-ENHANCEDSTATUSCODES
C: 250-PIPELINING
C: 250-8BITMIME
C: 250-SIZE
C: 250-DSN
C: 250-ETRN
C: 250-DELIVERBY
C: 250 SPF
C: 250 HELP
C: SPF SMTP
S: -HOST
S: -FROM
S: 250 READY Mode set to SMTP
C: SET HOST 1.2.3.4
S: 250 Value accepted for HOST
C: SET FROM bogus(_at_)example(_dot_)exploits(_dot_)org
S: 250 Value accepted for FROM
C: DECIDE
S: 550 DENIED Not a valid IP for bogus(_at_)example(_dot_)exploits(_dot_)org
C: QUIT
--
<a href="http://www.catb.org/~esr/";>Eric S. Raymond</a>
-------
Sender Permitted From: http://spf.pobox.com/
Archives at http://archives.listbox.com/spf-discuss/current/
Latest draft at http://spf.pobox.com/draft-mengwong-spf-02.txt
To unsubscribe, change your address, or temporarily deactivate your
subscription,
please go to
http://v2.listbox.com/member/?listname(_at_)©#�«Mo\¯HÝÜîU;±¤Ö¤Íµø�?¡