I think that most people have the view that SPF is used for detecting
forgery by monitoring the path from the sending MTA to the receiving
MTA. The path from the sending MUA to the sending MTA is a local matter,
as is the path from the receiving MTA to the receiving MUA.
Adding more MTAs into the mix complicates the picture. MTAs between the
sending and receiving MTA are typically the 'secondary MX' MTAs. This is
the reason that Mail::SPF::Query has logic to do the right thing in the
presence of these secondary MX MTAs.
The use case that you are laying out seems to be one where you have
multiple users on a single system. These users can only use their own
domains to send from. You want to be able to enforce this.
My personal feeling is that this a bit out of scope for SPF. One of the
factors that worries me is that it requires that the filtering be done
in real-time. Currently, implementations using SPF can perform the
checks after the delivery has taken place. This would not be possible
with %{u}.
Philip
Dan Boresjo wrote:
On Monday 02 February 2004 10:05 pm, Hallam-Baker, Phillip wrote:
I really don't see the justification here for adding this macro. What
information do we get using this macro that is not available otherwise?
You can discriminate between different parties that connect via the same IP.
Please explain how to do this without %{u} ?
I thought SPF was supposed to be platform-agnostic but your comment here seems
to be informed by a very PC-centric single-user-model view.
Also NAT is becoming increasingly common as the migration towards IPv6 recedes
into the 25th century...
Besides UNIX how many platforms support ident?
You can run an identd on anything you want, the protocol is an internet
standard. A lot of IRC networks require you to run identd.
There are Windows versions here:
http://identd.dyndns.org/identd/
http://sourceforge.net/projects/identd/
Just because UNIX is the most commonly used mutli-user system and hence the
most common identd user is no reason to say it is UNIX-specific.
Is ident likely to make it through a firewall? This is the type of service I
would turn off both incomming and outgoing.
It depends on how you configure the firewall, which in turn depends on what
you want. Like whether or not you wish to support ident.
Given the issues that finger exposed most network security admins are going
to turn off the ident daemon if it is there.
You'd be surprised at how common it is outside windows-land, particularly for
true mutli-user hosts.
- Dan
-------
Sender Permitted From: http://spf.pobox.com/
Archives at http://archives.listbox.com/spf-discuss/current/
Latest draft at http://spf.pobox.com/draft-mengwong-spf-02.9.5.txt
Wiki: http://spfwiki.infinitepenguins.net/pmwiki.php/SenderPermittedFrom/
To unsubscribe, change your address, or temporarily deactivate your subscription,
please go to http://v2.listbox.com/member/?listname(_at_)©#«Mo\¯HÝÜîU;±¤Ö¤Íµø?¡
-------
Sender Permitted From: http://spf.pobox.com/
Archives at http://archives.listbox.com/spf-discuss/current/
Latest draft at http://spf.pobox.com/draft-mengwong-spf-02.9.5.txt
Wiki: http://spfwiki.infinitepenguins.net/pmwiki.php/SenderPermittedFrom/
To unsubscribe, change your address, or temporarily deactivate your subscription,
please go to http://v2.listbox.com/member/?listname(_at_)©#«Mo\¯HÝÜîU;±¤Ö¤Íµø?¡