spf-discuss
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

RE: New macro proposed %{u}

2004-02-03 13:02:16
from [Dustin D. Trammell] [Permanent Link] 
Andy Bakun wrote:

I'm confused as to how this will work with modern MTAs.  In modern
MTAs, local users submit email to a mail queue, which may or may not
be sent immediately.  Remote authorized users also submit mail to a
mail queue. Either way, the user submitting the email to the MTA is
completely different than the user that owns the MTA process.  The
MTA process will, itself, make remote connections, and any identd
that responds as to the owner of each connection would respond with
information based on the user that owns the MTA process.

In otherwords, while it might be possible to change the ownership of
the MTA process during remote delivery to the user who submitted the
email, that doesn't seem very secure from a local security
standpoint.  A custom identd could return the values from the
envelope for the message being sent, but the remote system is given
that information anyway as part of the envelope -- in other words,
this provides no extra information that the receiving MTA doesn't
already have. 

You'd require an MTA specific identd that looked in the queue of
messages to determine who submitted it and return that information for
an identd to be useful at all in this context.  Alternatively, I can
see a use for this if you only allow email sent from a single
machine, and that machine runs both identd and a DNS server that
responds successfully to exists macros with %u.  And then, this isn't
much different than running with -all in your SPF record.


I think you hit his test scenario squarely on the head.  If I remember,
the test scenario was that he wanted his SPF policy to state that only
the mail server process on his mail server could send mail as domain X,
and not any of the users on that host.  In this case, you would NOT want
the mail sever process to change UID's or ident to the user that
authored the mail, because that would cause an SPF fail for his test
case policy.

---
Dustin D. Trammell
Vulnerability Remediation Alchemist
Citadel Security Software, Inc.

-------
Sender Permitted From: http://spf.pobox.com/
Archives at http://archives.listbox.com/spf-discuss/current/
Latest draft at http://spf.pobox.com/draft-mengwong-spf-02.9.5.txt
Wiki: http://spfwiki.infinitepenguins.net/pmwiki.php/SenderPermittedFrom/
To unsubscribe, change your address, or temporarily deactivate your 
subscription, 
please go to 
http://v2.listbox.com/member/?listname(_at_)½§Åv¼ð¦¾Øß´ëù1Ií-»Fqx(_dot_)com
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: Re: "extreme SPF" scenario for ISPs, rgreene(_at_)tclme(_dot_)org
Next by Date:  RE: Re: "extreme SPF" scenario for ISPs, Dustin D. Trammell
Previous by Thread:  Re: New macro proposed %{u}, Philip Gladstone
Next by Thread:  RE: New macro proposed %{u}, Dustin D. Trammell
Indexes:  [Date] [Thread] [Top] [All Lists]