spf-discuss
[Top] [All Lists]

Re: New macro proposed %{u}

2004-02-02 18:53:50
I think that most people have the view that SPF is used for detecting forgery by monitoring the path from the sending MTA to the receiving MTA. The path from the sending MUA to the sending MTA is a local matter, as is the path from the receiving MTA to the receiving MUA.

Adding more MTAs into the mix complicates the picture. MTAs between the sending and receiving MTA are typically the 'secondary MX' MTAs. This is the reason that Mail::SPF::Query has logic to do the right thing in the presence of these secondary MX MTAs.

The use case that you are laying out seems to be one where you have multiple users on a single system. These users can only use their own domains to send from. You want to be able to enforce this.

My personal feeling is that this a bit out of scope for SPF. One of the factors that worries me is that it requires that the filtering be done in real-time. Currently, implementations using SPF can perform the checks after the delivery has taken place. This would not be possible with %{u}.

Philip

Dan Boresjo wrote:

On Monday 02 February 2004 10:05 pm, Hallam-Baker, Phillip wrote:

I really don't see the justification here for adding this macro. What
information do we get using this macro that is not available otherwise?


You can discriminate between different parties that connect via the same IP.
Please explain how to do this without %{u} ?

I thought SPF was supposed to be platform-agnostic but your comment here seems to be informed by a very PC-centric single-user-model view.

Also NAT is becoming increasingly common as the migration towards IPv6 recedes into the 25th century...


Besides UNIX how many platforms support ident?


You can run an identd on anything you want, the protocol is an internet standard. A lot of IRC networks require you to run identd.

There are Windows versions here: http://identd.dyndns.org/identd/
http://sourceforge.net/projects/identd/

Just because UNIX is the most commonly used mutli-user system and hence the most common identd user is no reason to say it is UNIX-specific.


Is ident likely to make it through a firewall? This is the type of service I
would turn off both incomming and outgoing.


It depends on how you configure the firewall, which in turn depends on what you want. Like whether or not you wish to support ident.


Given the issues that finger exposed most network security admins are going
to turn off the ident daemon if it is there.


You'd be surprised at how common it is outside windows-land, particularly for true mutli-user hosts.

- Dan

-------
Sender Permitted From: http://spf.pobox.com/
Archives at http://archives.listbox.com/spf-discuss/current/
Latest draft at http://spf.pobox.com/draft-mengwong-spf-02.9.5.txt
Wiki: http://spfwiki.infinitepenguins.net/pmwiki.php/SenderPermittedFrom/
To unsubscribe, change your address, or temporarily deactivate your subscription, please go to http://v2.listbox.com/member/?listname(_at_)©#«Mo\¯HÝÜîU;±¤Ö¤Íµø?¡



-------
Sender Permitted From: http://spf.pobox.com/
Archives at http://archives.listbox.com/spf-discuss/current/
Latest draft at http://spf.pobox.com/draft-mengwong-spf-02.9.5.txt
Wiki: http://spfwiki.infinitepenguins.net/pmwiki.php/SenderPermittedFrom/
To unsubscribe, change your address, or temporarily deactivate your subscription, please go to http://v2.listbox.com/member/?listname(_at_)©#«Mo\¯HÝÜîU;±¤Ö¤Íµø?¡


<Prev in Thread] Current Thread [Next in Thread>