Synopsis:
The %{u} macro expands to the username returned from an ident query performed
on the incoming connection.
Use cases:
1. Shared hosts - restricting outgoing SMTP to only the 'mail' user.
2. NAT Gateways - futher discriminating between hosts behind the gateway.
Discussion:
My initial thought was to provide an 'ident' mechanism which would simply
delegate the task of providing a mailbox name to the ident daemon on the
connecting host. This had two problems:
1. SPF generally enables recipients to determine the boundary conditions for a
set of mailboxes that a particular incoming connection may legally claim to
be acting on behalf of. Identd is generally modelled on providing a single,
canonical identity for the incoming actor.
2. For privacy reasons people do not like to advertise a "single, canonical
identity" for their outgoing connections, hence traditional identd is
unpopular. SPF is less of a privacy concern in this regard as it only
provides the boundaries of a set, and even determining that would require
some significant spidering of the DNS.
Hence I am proposing %{u} as a macro instead of an identd mechanism. What this
means is that an identd and return anything - for example just a pid or uid -
which is not necessarily identifying. Then an SPF 'exists' lookup can have an
intelligent DNS server check with a real identity 'behind the scenes' without
making the actual username public.
Background:
A personal hate of mine is the 'confirmation loop' that so many websites
employ to verify a visitor's mailbox. I would like to be able to perform an
SPF check against the incoming connection instead.
Basically when I see a web form which asks me for a mailbox, I would like to
see one of three responses:
SPF Passed: Thank you <mailbox>, let's proceed...
SPF Failed: You are not <mailbox>, who are you really?
SPF Unknown: We have sent <mailbox> a confirmation mail....
This is so obviously useful that I expect it will increase the desirability of
SPF adoption a lot.
In order for SPF to support this purpose, it must be possible and reasonable
to authorize not just dedicated MTA hosts, but in fact any host on which I
may have a process running, be it an MTA, Web Browser, procmail script etc.
This means that there needs to be some way to support end-user machines, which
may include machines behind NAT etc. %(u) enables this.
- Dan
-------
Sender Permitted From: http://spf.pobox.com/
Archives at http://archives.listbox.com/spf-discuss/current/
Latest draft at http://spf.pobox.com/draft-mengwong-spf-02.9.5.txt
Wiki: http://spfwiki.infinitepenguins.net/pmwiki.php/SenderPermittedFrom/
To unsubscribe, change your address, or temporarily deactivate your
subscription,
please go to
http://v2.listbox.com/member/?listname(_at_)©#«Mo\¯HÝÜîU;±¤Ö¤Íµø?¡