Meng Weng Wong wrote:
On Fri, Jan 09, 2004 at 01:25:53PM -0600, Jim Ramsay wrote:
|
| And is there a better explanation about how a cookie should be used, or
| should that be site-dependent?
|
Each site makes up a secret. The secret is used when making a cookie.
You put a cookie into the rewritten address to prevent open relaying.
That's what I expected, but does it matter (or will it matter according
to the RFC) where that cookie is put within the rewritten envelope?
For example, should it be:
bounce-cookie-original#domain(_dot_)dom(_at_)forwarder(_dot_)dom
Or
bounce-original#domain(_dot_)dom-cookie(_at_)forwarder(_dot_)dom
Or does the server get to decide?
What about:
realusername-fwdfrom-original#domain(_dot_)dom-cookie(_at_)host(_dot_)name(_dot_)com?
or:
realusername-fwdsecure-asthuoei79880euf7i79e8u(_at_)host(_dot_)name(_dot_)com
(where 'asthuoei79880euf7i79e8u' is the original envelope encrypted by
the forwarding host with a key only known to that host)
This would be most useful for utilities like TMDA or Procmail or other
mail processing scripts which may forward things to other email
accounts. They could then properly get a bounce and forward it on, and
it could be done on a per-user basis (the server would not be forced to
have a global "bounce-" alias set up).
Then again, why standardize this with an RFC at all? As far as I can
see the criteria needed such that I can forward an email to a
SPF-enabled server are as follows:
- The forwarding server MUST rewrite the envelope such that the domain
part corresponds to the SPF record on the forwarding server instead of
the original sender's domain.
- This rewritten envelope MUST include a secure method of ensuring no
one can forged similar rewritten envelopes
- The forwarding server MUST be able to receive emails to the envelope
created above and change them back to the exact original only if the
secure mechanism signifies that the address in question was not forged.
This means that the original envelope need not be visibly in the
rewritten envelope - it could be stored on disk or in a database, or
encrypted to make things more difficult to forge.
--
Jim Ramsay
-------
Sender Permitted From: http://spf.pobox.com/
Archives at http://archives.listbox.com/spf-discuss/current/
Latest draft at http://spf.pobox.com/draft-mengwong-spf-02.9.4.txt
To unsubscribe, change your address, or temporarily deactivate your subscription,
please go to http://v2.listbox.com/member/?listname(_at_)©#�«Mo\¯HÝÜîU;±¤Ö¤Íµø�?¡