RE: Maybe simple question

--Mark <admin(_at_)asarian-host(_dot_)net>:
> > 2): He sends mail through the SMTP server of his ISP, using
> > an envelope from address with a domain name of another ISP.
> > Barring explicit agreements between those ISP's, under SPF,
> > you can, indeed, no longer do that. That is, you cannot send
> > out mail using an SMTP server of AOL, using an
> > @mindspring.com address (unless, like I said, mindspring
> > published an SPF record which specifically allowed the AOL
> > SMTP server to relay mail for them; yeah, right).
> >
> > What category is your dad in? :)
--"Vivien M." <vivienm(_at_)dyndns(_dot_)org> wrote:
> Number 2 :P The one that becomes SOL under SPF :) Which, funnily enough,
> starting from the days of ending open relays until a year ago or so, was
> the generally accepted way of dealing with this situation. That's what
> bugs me about SPF: the fact that, after all kinds of people were set up
> with the "POP3 from wherever, SMTP through your local ISP" model,
> suddenly SPF makes that obsolete and requires "wherever" to provide an
> SMTP AUTH-type relay. If they don't feel like bothering with it... then I
> get to explain to my dad why he can't use his perfectly functional POP3
> client to send mail anymore and needs to learn some webmail interface.
> For understandable reasons, this is a conversation I'd prefer not to have.

Here are a couple more thoughts I have...

1. The people changing the DNS to add SPF are probably either also part of 
IT, or working in cooperation with IT.  If nobody is actively forging mail 
from the domain right now, they might just delay SPF until a time when 
everyone has access to smtp auth and/or vpn.
2. Does the employer in this case offer a way to VPN in?  I'm assuming pop3 
isn't open to the outside since it's kind of insecure in terms of sniffing. 
If there is a VPN, you can probably send directly with the employer's 
server without adding smtp auth to it - they would implicitly trust the vpn 
client ip.  If they just have pop3 open to the world, they might want to 
either add smtp auth, or use pop-before-smtp which some smtp servers might 
be set up for if they don't have auth.
3. For smaller employers that don't have a vpn or savvy IT dept, they might 
be able to get away with just adding joesisp.net to the accepted list for 
their SPF (or better yet, include-reference to joesisp.net's spf record). 
Granted, this lets any customer of joesisp spoof the employer's address but 
this is a step in the right direction. It buys some time while they work 
out their vpn or smtpauth strategy.
There are also ways to set up DNS so that you can send from 
"gconnor(_at_)employer(_dot_)com" out of joesisp.net, but not "xyakd845(_at_)employer(_dot_)com". 
But this uses macros and adds a bunch more dns records and is probably a 
little more complicated to set up than getting smtp auth working.

Ok that's all I have for now, good night :)
--
Greg Connor <gconnor(_at_)nekodojo(_dot_)org>

-------
Sender Permitted From: http://spf.pobox.com/
Archives at http://archives.listbox.com/spf-discuss/current/
Latest draft at http://spf.pobox.com/draft-mengwong-spf-02.9.4.txt
To unsubscribe, change your address, or temporarily deactivate your subscription, 
please go to http://v2.listbox.com/member/?listname(_at_)©#«Mo\¯HÝÜîU;±¤Ö¤Íµø?¡