On Mon, 2004-02-02 at 20:22, Dan Boresjo wrote:
Anyone can misconfigure their systems with conflicting requirements.
Saying 'I want ident macro expansion' in your SPF records and then
blocking ident queries at your firewall would be dumb beyond belief.
...
Perhaps you simply don't understand the proposal...
I'm confused as to how this will work with modern MTAs. In modern MTAs,
local users submit email to a mail queue, which may or may not be sent
immediately. Remote authorized users also submit mail to a mail queue.
Either way, the user submitting the email to the MTA is completely
different than the user that owns the MTA process. The MTA process
will, itself, make remote connections, and any identd that responds as
to the owner of each connection would respond with information based on
the user that owns the MTA process.
In otherwords, while it might be possible to change the ownership of the
MTA process during remote delivery to the user who submitted the email,
that doesn't seem very secure from a local security standpoint. A
custom identd could return the values from the envelope for the message
being sent, but the remote system is given that information anyway as
part of the envelope -- in other words, this provides no extra
information that the receiving MTA doesn't already have.
You'd require an MTA specific identd that looked in the queue of
messages to determine who submitted it and return that information for
an identd to be useful at all in this context. Alternatively, I can see
a use for this if you only allow email sent from a single machine, and
that machine runs both identd and a DNS server that responds
successfully to exists macros with %u. And then, this isn't much
different than running with -all in your SPF record.
--
Andy Bakun <spf(_at_)leave-it-to-grace(_dot_)com>
-------
Sender Permitted From: http://spf.pobox.com/
Archives at http://archives.listbox.com/spf-discuss/current/
Latest draft at http://spf.pobox.com/draft-mengwong-spf-02.9.5.txt
Wiki: http://spfwiki.infinitepenguins.net/pmwiki.php/SenderPermittedFrom/
To unsubscribe, change your address, or temporarily deactivate your
subscription,
please go to
http://v2.listbox.com/member/?listname(_at_)©#�«Mo\¯HÝÜîU;±¤Ö¤Íµø�?¡