On Sun, Jan 25, 2004 at 12:07:57PM -0500, Meng Weng Wong asserted:
Russ, here's the argument in a nutshell:
DK lets a domain say: "if dk signature present, is legitimate".
Domains also need to say: "if dk signature not present, is forgery".
Otherwise spammers could just continue business as usual and the value
of a DK signature would be diluted by lack of confidence.
DK is strictly an authentication mechanism. SPF is a policy framework.
DK can't make that assertion. SPF can. SPF complements DK.
So let's work together.
Specifically, if DK ever gets off the ground, I expect to make use of
SPF's built-in extensibility to add a "dk" mechanism that means a domain
always sends with DK signatures. Even if an existing client doesn't
grok "dk" it will accept the message by design.
Am I wrong in thinking that qmail can be left alone by simply adding a
mechanism to be employed in the same manner as rblsmtp is now?
On my machines, /var/qmail/supervise/qmail-smtpd/run looks like:
exec /usr/local/bin/softlimit -m 2000000 \
/usr/local/bin/tcpserver -v -R -l "$LOCAL" -x /etc/tcp.smtp.cdb -c
"$MAXSMTPD" \
-u "$QMAILDUID" -g "$NOFILESGID" 0 smtp /usr/local/bin/rblsmtpd -b \
-r dnsbl.njabl.org -r cbl.abuseat.org -r dnsbl.sorbs.net \
/var/qmail/bin/qmail-smtpd 2>&1
The spf and dk checks could be added at smtp time by either patching rblsmtpd or
replacing it. For qmail at least, this would keep spf and dk atomic and allow
for easy adoption. qmail needs no modification whatsoever and that means that
if you do get DJB's attention, you'll avoid the 'qmail works, run it as
documented', altogether.
The current recommended install is http://the www.lifewithqmail.org version.
The
qmail list always proposes this as a fix for broken setups. In fact, if you
have
deviated, the knee-jerk answer is 'call your vendor', and from a free support
standpoint, I find it hard to be critical of this method.
For other MTA's, I dunno. We use Postfix and have a couple of Sendmail boxes
too, but these are being migrated to qmail as the hardware reaches EOL.
--
Bob Greene
Public key available at
http://pgp.mit.edu:11371/pks/lookup?op=get&search=0xC9C7841C
Or, you can just pull my finger
-------
Sender Permitted From: http://spf.pobox.com/
Archives at http://archives.listbox.com/spf-discuss/current/
Latest draft at http://spf.pobox.com/draft-mengwong-spf-02.9.4.txt
To unsubscribe, change your address, or temporarily deactivate your
subscription,
please go to
http://v2.listbox.com/member/?listname(_at_)©#�«Mo\¯HÝÜîU;±¤Ö¤Íµø�?¡