On Mon, Feb 02, 2004 at 02:46:45PM +0100, Julian Mehnle wrote:
| Dan Boresjo [dan(_at_)boresjo(_dot_)demon(_dot_)co(_dot_)uk] wrote:
| > Synopsis:
| > The %{u} macro expands to the username returned from an ident query
| > performed on the incoming connection.
| >
| > Use cases:
| > 1. Shared hosts - restricting outgoing SMTP to only the 'mail' user.
| > 2. NAT Gateways - futher discriminating between hosts behind the
| > gateway.
|
| I can see the benefit of this, but please be aware that:
|
| a. ident responses do only make sense if the sending host is trustworthy and
not compromised, and
So don't put %{u} in your SPF string if it already has mechanisms to test
that only a trustworthy host is the sending host.
| b. many mail server hosts don't run an ident service, and
If it were a mechanism, it could just given an unknown result. As a macro
it needs to have some value. If ident fails, something need to be there.
Maybe "_ident_fail_"?
| c. SPF clients would have to support making ident queries.
|
| I don't like (c) at all, and (a) and (b) probably reduce the usefulness of
your proposal to nearly zero.
Given that ident is TCP, I don't like it, either. But I'm not saying no to
this feature just yet. I want to see what behaviour it has under failure,
and determine if MX hosts can choose to ignore it in some way (besides just
blocking the ident port, which would slow things down).
--
-----------------------------------------------------------------------------
| Phil Howard KA9WGN | http://linuxhomepage.com/ http://ham.org/ |
| (first name) at ipal.net | http://phil.ipal.org/ http://ka9wgn.ham.org/ |
-----------------------------------------------------------------------------
-------
Sender Permitted From: http://spf.pobox.com/
Archives at http://archives.listbox.com/spf-discuss/current/
Latest draft at http://spf.pobox.com/draft-mengwong-spf-02.9.5.txt
Wiki: http://spfwiki.infinitepenguins.net/pmwiki.php/SenderPermittedFrom/
To unsubscribe, change your address, or temporarily deactivate your
subscription,
please go to
http://v2.listbox.com/member/?listname(_at_)©#«Mo\¯HÝÜîU;±¤Ö¤Íµø?¡