[Disclaimer: All opinions in this email are my personal ones, and not those
of any organizations whose names may appear in the headers of this email.]
-----Original Message-----
From: owner-spf-discuss(_at_)v2(_dot_)listbox(_dot_)com
[mailto:owner-spf-discuss(_at_)v2(_dot_)listbox(_dot_)com] On Behalf Of
marrandy
Sent: December 14, 2003 9:39 PM
To: spf-discuss(_at_)v2(_dot_)listbox(_dot_)com
Subject: Re: [spf-discuss] Maybe simple question
In Boston, I would be forced to use rcn's policy, or
comcast's policy,
because they're the only cablemodem providers here. What
shall I do
if they decide I can only use mail(_at_)rcn(_dot_)com or
mail(_at_)comcast(_dot_)com?
There are many options. Think about it.
Okay, so you explain to me what I'm going to tell my dad the day SPF gets
widely deployed?
Current situation: He reads his email from home (solely). He has POP3
accounts with employers, and he sends outgoing email through the ISP's SMTP
server. This is a former @Home cable company, so they have a recent mail
setup that requires anyone to SMTP AUTH to send outgoing email (or at least
to send mail from things other than @isp.com). Employers' SMTP servers are
set up using the traditional "relay for our local IP pool, do not relay for
anyone else" logic. Said employers also provide webmail, dialup access into
their IP pools, and do not currently have SMTP AUTH.
If SPF gets widely deployed and the employers add SPF records (or people
start bouncing mail from places that do not publish SPF), my dad's mail will
start getting bounced, since the cable company's SMTP server likely won't be
in the SPF records. If the employers don't decide to enable SMTP AUTH,
figuring that people outside their IP pool generally use the webmail system
or dial in from home or that their users generally have hideously insecure
passwords, then my dad's mail setup is literally broken, and I get to be in
the pleasant position of telling him why :)
Oh, and an interesting detail: at the time this ISP left @Home, I was
involved with a users' group... The initial configuration of the post-(_at_)Home
servers relayed only for addresses @isp.com, and due to the huge outcry from
people who are configured similarly to my dad, they had to change their
relaying policy.
The problem with SPF is this: anyone who has SPF records must provide an
SMTP AUTH (or other mechanism) relay for its users once they leave that
organization's IP pool. That's what I think Mr. Harvey was trying to argue,
and a serious problem for some people. If employers don't want people to
deal with email outside the company netblock, SPF is a great way to do it -
though firewalling port 110/etc from outside the office is a much better
method, IMHO. If, however, you want to have people from outside your
netblock send mail, then it requires you to set up (and pay for, and
maintain, and secure, etc) a way for them to send it - whereas before, they
would send through their local ISP's SMTP server, which they are after all
paying for (and will continue to pay for, but not use, with SPF). And if the
people doing this are in a "gray" area (it's neither allowed nor banned -
the employer leaves the appropriate ports open from outside the netblock,
but the IT dept doesn't openly encourage/discourage people from using them),
SPF screws you over - the server admins may not want to burden themselves
with running a relay-type thing, but still want to be a good netizen and
publish SPF...
If you administer your own domain/mail server, like many of the people
involved in writing this spec, then you're fine. Even if port 25 is blocked,
it's easy to buy an SMTP relaying service (I won't put a shameless plug here
simply because I want to make it clear that I'm writing solely for myself,
not any organization) and add it to your SPF records, just set up SMTP AUTH
on your own MTA on a different port, or tunnel SMTP through SSH back to your
home base. But if you don't... Then let's just say that you have to shake
up your IT department, big time... Or things that used to work WILL break
and you can say hello to webmail (the large organizations with tens of
thousands of users that I know about all seem to promote webmail for their
off-netblock users ... and their on-netblock ones, for that matter). And for
old-fashioned techies like me, webmail is an abominable thing that one
should not impose on anyone...
That said, there is also an obvious compromise, as Meng (I think) pointed
out: people could just add local ISPs to their SPF allowed relays. For
example, if the University of SPF is in a town with ISPa and ISPb, and it
knows that its legitimate users from outside its netblock would be using
ISPa and ISPb, so just allow those. Sure, it weakens SPF a little, but the
dude in China is still blocked. The beauty of this for educational
institutions (no doubt commercial organizations would have more trouble
doing this), is that since educational institutions generally provide dialup
to their users, the only servers you'd need to allow would be those for the
local broadband ISPs, and 98% of people would be happy. For the other 2%
(eg: travellers)... should it be hello webmail?
Vivien (who will now go back to lurking, probably, where he's been for a
long time...)
-------
Sender Permitted From: http://spf.pobox.com/
Archives at http://archives.listbox.com/spf-discuss/current/
Latest draft at http://spf.pobox.com/draft-mengwong-spf-02.9.4.txt
To unsubscribe, change your address, or temporarily deactivate your
subscription,
please go to
http://v2.listbox.com/member/?listname(_at_)½§Åv¼ð¦¾Øß´ë�ù1I�í-»F�qx(_dot_)com