|
Re: who will use scopes?
2004-07-08 13:20:28
pamho.net TXT "v=spf1 scope=-helo ip4:81.221.18.146 scope=* -all"
mail.pamho.net TXT "v=spf1 scope=helo ip4:81.221.18.146 scope=* -all"
I notice that these both only allow the same machine. Is there a
security concern here? You control the machine, you configure both
aspects of it (what it uses for HELO and what it uses for other
things.) If you allowed both names in all scopes - you are still only
allowing your machine to do so. Hence, all I can see that the scoping
does is protect against your own mis-configuration. And furthermore,
even if you did mis-configure your machines, the only reputation that
would be on the line is your own, which it is anyway.
(And no, it doesn't protect you against someone else breaking in and
re-configuring - if someone has access to your machine enough to change
what it sends for HELO, you have MUCH bigger problems than SPF can help
with....)
Now, I understand the security dicta of "least permission", and I
recognize that one wants to lock things down as much as possible. But
sometimes the extra strictness doesn't really buy you anything.
Another way to think about it:
SPF isn't a statement about how your machines should be configured.
SPF is a statement about accountability in sending e-mail.
pamho.net TXT "v=spf1 ip4:81.221.18.146 scope=* -all"
mail.pamho.net TXT "v=spf1 ip4:81.221.18.146 scope=* -all"
This says basically, "pamho.net" and "mail.pamho.net" are accountable
if you see them used in a mail transaction, if and only if they come
from 81.221.18.146.
The more restrictive set above says: "pamho.net" is only accountable if
you see it in MAIL-FROM or PRA from machine 81.221.18.146, and
"mail.pamho.net" is only accountable if you see it in HELO from
81.221.18.146.
Not being willing to take accountability for the cross-cases
("pamho.net" in HELO or "mail.pamho.net" in MAIL-FROM or PRA), which
are never going to be seen, doesn't really do any better to protect
your domain names and reputation.
I am not convinced that there aren't very strong cases where
accountability cannot cross scope. This is not such an example.
Please remember - I respect your concern for how you wish to make SPF
statements, and indeed you can using the %{e} macro. We are only
trying to gather evidence to see if it is worth changing the syntax in
a bigger way than adding another macro letter.
- Mark
Mark Lentczner
http://www.ozonehouse.com/mark/
markl(_at_)glyphic(_dot_)com
| <Prev in Thread] |
Current Thread |
[Next in Thread>
|
- Re: Scope macro, alternative syntaxes, and use cases, (continued)
- RE: Scope macro, alternative syntaxes, and use cases, Seth Goodman
- Re: Scope macro, alternative syntaxes, and use cases, wayne
- RE: Scope macro, alternative syntaxes, and use cases, Seth Goodman
- Re: Scope macro, alternative syntaxes, and use cases, Hector Santos
- RE: Scope macro, alternative syntaxes, and use cases, Seth Goodman
- What else to go into the pot?, Meng Weng Wong
- Re: What else to go into the pot?, Roger Moser
- who will use scopes?, Meng Weng Wong
- Re: who will use scopes?, Roger Moser
- Re: who will use scopes?,
Mark Lentczner <=
- RE: who will use scopes?, Seth Goodman
- Re: who will use scopes?, wayne
- Re: who will use scopes?, Frank Ellermann
- Re: who will use scopes?, Roger Moser
- Re: What else to go into the pot?, Tony Finch
- RE: What else to go into the pot?, Scott Kitterman
Re: Scope macro, alternative syntaxes, and use cases, Frank Ellermann
|
|
|