On Tuesday 03 February 2004 3:47 am, Andy Bakun wrote:
On Mon, 2004-02-02 at 20:22, Dan Boresjo wrote:
Anyone can misconfigure their systems with conflicting requirements.
Saying 'I want ident macro expansion' in your SPF records and then
blocking ident queries at your firewall would be dumb beyond belief.
...
Perhaps you simply don't understand the proposal...
I'm confused as to how this will work with modern MTAs. In modern MTAs,
local users submit email to a mail queue, which may or may not be sent
immediately. Remote authorized users also submit mail to a mail queue.
Either way, the user submitting the email to the MTA is completely
different than the user that owns the MTA process. The MTA process
will, itself, make remote connections, and any identd that responds as
to the owner of each connection would respond with information based on
the user that owns the MTA process.
That's right, the MTA normally runs as 'mail' and is a trusted user.
The MTA enforces policy: Untrusted users submit mail to the MTA but they
cannot change the MAIL FROM: return path or the Sender: header. So it's not a
joe-job, and no problem.
However, user processes can open connections directly to third-party MTA's and
there are plenty of valid reasons for wishing to do so, however since the
MAIL FROM: command is not issued until after the connection is established,
the sending host cannot reliably enforce 'reverse SPF' upon user processes.
The receiving host should check SPF and this may include a %{u} check if that
is what the sending domain's SPF record requires.
- Dan
-------
Sender Permitted From: http://spf.pobox.com/
Archives at http://archives.listbox.com/spf-discuss/current/
Latest draft at http://spf.pobox.com/draft-mengwong-spf-02.9.5.txt
Wiki: http://spfwiki.infinitepenguins.net/pmwiki.php/SenderPermittedFrom/
To unsubscribe, change your address, or temporarily deactivate your
subscription,
please go to
http://v2.listbox.com/member/?listname(_at_)©#�«Mo\¯HÝÜîU;±¤Ö¤Íµø�?¡