Le mercredi 21 Juillet 2004 22:23, Stuart D. Gathman a écrit :
I am in the same situation for my vanity domain. I have a server
that I use to send mail, and that all members of the domain should
use as well. But various family members are on ISPs and don't know how to
use the proper mail profile configured for SMTP AUTH (remembering to
use port 525 since 25 is blocked is a problem as well). So the SPF record
looks like this:
v=spf1 mx:bmsi.com ?ptr:cox.net ?ptr:earthlink.net -all
If it comes from one of those ISPs, then I can't make any guarantees :-)
Lots of people send mail through those ISPs, and the ISP makes no attempt
at authentication.
If it comes from any other ISP, however, it is definitely a FAIL.
And if they use a correct mail profile, then they get a definite PASS.
I have a setup of the same sort, but I solve things differently :
1/ My MTA (legit mail sender for my domain) is configured to listen on 587 as
well as 25 to overcome some ISP's port 25 filtering.
2/ I have produced X.509 certs for the "usually roaming" users of my domain.
They have installed these certs into their MUA (i.e. Mozilla or KMail...)
3/ My MTA will accept to relay mail coming from a TLS connection with
presentation of one of the known X.509 certs.
Some of my users however cannot / don't know how to configure their MUA to use
TLS+X.509 cert.
For these I use the "exists" mechanism to build an entry that will be
looked-up in DNS to check if the user is allowed or not thru a given server.
So I don't add an entry for "?ptr:thisISP.net", but an entry valid for a
specific user + a given server (or actually rather a /24).
That gives: "exists:%{i3r}.%{l1r+-}._spf.%{d}"
And then the DNS entry could be:
123.213.232.someuser._spf.mydomain.org 127.0.0.2
The window left to abusers is narrower, each user having his own set of
allowed sending machines.
(Plus the fact that monitoring the DNS requests allows me to audit possible
forgeries to some extent, and know which /24 they come from)
--
Michel Bouissou <michel(_at_)bouissou(_dot_)net> OpenPGP ID 0xDDE8AC6E