--John Capo <jc(_at_)irbs(_dot_)com> wrote:
Quoting Meng Weng Wong (mengwong(_at_)dumbo(_dot_)pobox(_dot_)com):
[snip]
IF the connection is SMTP auth'ed,
We assume that the MUA will set "From: user(_at_)vanitydomain(_dot_)com".
We assume that the ISP will set "Sender: user(_at_)isp(_dot_)net".
Curious as to how to how many here can map an SMTP AUTH login to a
specific sender address?
I am not sure of the answer and I would like to find out.
ISPs should be pointed at RFC2476 which says (paraphrasing a bit) If you
can't tell for sure if the current client is allowed to use the return path
they claim, you should substitute a known return path associated with that
client, or reject the message.
My bet is that most ISPs do not do this... and it's not necessarily SPF's
job to remind them, there is already an RFC. If we get to a situation
where stuff passes SPF but is still a forgery, at least we know who to
complain to :)
My customers auth with a mailbox name that may have many addresses
delivered to that mailbox. In some cases a catchall is the only
address or a catchall in several domains. I know catchall's are
evil but customers want them and customers pay the bills.
One possible way for ISPs to comply with RFC2476 is to require users to
register their return addresses, at which time they would send a
confirmation email which you have to reply to or click the link with the
secret. That way you can send mail through their servers using the
verified email address (even if it is not on their network).
Catch-all addresses would be interesting... but maybe a confirmation to
postmaster(_at_)vanity(_dot_)domain would work in that case.
--
Greg Connor <gconnor(_at_)nekodojo(_dot_)org>