spf-discuss
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: A couple of thoughts

2004-02-22 04:13:05
from [Brian Candler] [Permanent Link] 
On Sun, Feb 22, 2004 at 02:21:28AM -0800, Greg Connor wrote:

--Brian Candler <B(_dot_)Candler(_at_)pobox(_dot_)com> wrote both of:

The advantage of the callback is that you can say for certain that this
*particular* message must have originated from that ISP, and within a
known timeperiod of a few days. It also guarantees that should the
message fail to be delivered, the bounce would be deliverable.


Plus it's a reasonably useful filtering technique in its own right, which
means there's immediate benefit to you in implementing it even if no-one
else has started using SRS.



Excuse me if this has already been asked, but what is the effect of 
SRS-encoding a sender address that is already in SRS format?


IIRR, what I was trying to say is that you should send out *all* messages
SRS-encoded at source. By rejecting all non-SRS-signed bounces you then are
protected from joe-jobs.


If you send 
everything out with SRS-tags, are you risking them being irretrievably 
mangled if some recepient actually uses SRS for forwarding?


No. In a non-SPF world, the forwarder would leave the original SRS envelope
sender unmolested. It would "just work" [TM]

If you are forwarding and the recipient implements SPF, then you need to
rewrite the address using SRS. But the SRS spec already takes care of that.
There is a specific way of modifying an existing SRS address to a new SRS
address, whose RHS domain is your own domain (and therefore will be accepted
by the SPF-aware receiver)


How many times 
can SRS iterate in serial before the original is unrecoverable, or some 
other limit is hit?


It's unlimited, because there is a clever design feature in SRS:

   user(_at_)domain
   -> srs0+stamp+domain+user(_at_)domain2
   -> srs1+domain2+stamp+domain+user(_at_)domain3
   -> srs1+domain2+stamp+domain+user(_at_)domain4
   -> srs1+domain2+stamp+domain+user(_at_)domain5
   -> srs1+domain2+stamp+domain+user(_at_)domain6
   ...etc

The message only retains permanently the cryptographic stamp applied by the
first forwarder, and the first forwarder's domain. Shevek's document
"srs.pdf" is a good read and explains this clearly.

Regards,

Brian.
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: DNS gurus: What is the max length of a TXT rec ords?, Greg Connor
Next by Date:  RE: DMP vs SPF, Marc Alaia
Previous by Thread:  Re: A couple of thoughts, Greg Connor
Next by Thread:  Please Move SRS Discussion To SRS-Discuss; Linux Journal diagram, Meng Weng Wong
Indexes:  [Date] [Thread] [Top] [All Lists]