I really don't see the justification here for adding this macro. What
information do we get using this macro that is not available otherwise?
Besides UNIX how many platforms support ident?
Is ident likely to make it through a firewall? This is the type of service I
would turn off both incomming and outgoing.
Given the issues that finger exposed most network security admins are going
to turn off the ident daemon if it is there.
-----Original Message-----
From: Phil Howard [mailto:phil-spf-discuss(_at_)ipal(_dot_)net]
Sent: Monday, February 02, 2004 12:58 PM
To: spf-discuss(_at_)v2(_dot_)listbox(_dot_)com
Subject: Re: [spf-discuss] New macro proposed %{u}
On Mon, Feb 02, 2004 at 02:46:45PM +0100, Julian Mehnle wrote:
| Dan Boresjo [dan(_at_)boresjo(_dot_)demon(_dot_)co(_dot_)uk] wrote:
| > Synopsis:
| > The %{u} macro expands to the username returned from an
ident query
| > performed on the incoming connection.
| >
| > Use cases:
| > 1. Shared hosts - restricting outgoing SMTP to only the
'mail' user.
| > 2. NAT Gateways - futher discriminating between hosts behind the
| > gateway.
|
| I can see the benefit of this, but please be aware that:
|
| a. ident responses do only make sense if the sending host
is trustworthy and not compromised, and
So don't put %{u} in your SPF string if it already has
mechanisms to test
that only a trustworthy host is the sending host.
| b. many mail server hosts don't run an ident service, and
If it were a mechanism, it could just given an unknown
result. As a macro
it needs to have some value. If ident fails, something need
to be there.
Maybe "_ident_fail_"?
| c. SPF clients would have to support making ident queries.
|
| I don't like (c) at all, and (a) and (b) probably reduce
the usefulness of your proposal to nearly zero.
Given that ident is TCP, I don't like it, either. But I'm
not saying no to
this feature just yet. I want to see what behaviour it has
under failure,
and determine if MX hosts can choose to ignore it in some way
(besides just
blocking the ident port, which would slow things down).
--
--------------------------------------------------------------
---------------
| Phil Howard KA9WGN | http://linuxhomepage.com/
http://ham.org/ |
| (first name) at ipal.net | http://phil.ipal.org/ http://ka9wgn.ham.org/
|
----------------------------------------------------------------------------
-
-------
Sender Permitted From: http://spf.pobox.com/
Archives at http://archives.listbox.com/spf-discuss/current/
Latest draft at http://spf.pobox.com/draft-mengwong-spf-02.9.5.txt
Wiki: http://spfwiki.infinitepenguins.net/pmwiki.php/SenderPermittedFrom/
To unsubscribe, change your address, or temporarily deactivate your
subscription,
please go to
http://v2.listbox.com/member/?listname(_at_)©#�«Mo\¯HÝÜîU;±¤Ö¤Íµø�?¡
-------
Sender Permitted From: http://spf.pobox.com/
Archives at http://archives.listbox.com/spf-discuss/current/
Latest draft at http://spf.pobox.com/draft-mengwong-spf-02.9.5.txt
Wiki: http://spfwiki.infinitepenguins.net/pmwiki.php/SenderPermittedFrom/
To unsubscribe, change your address, or temporarily deactivate your
subscription,
please go to
http://v2.listbox.com/member/?listname(_at_)©#�«Mo\¯HÝÜîU;±¤Ö¤Íµø�?¡