On Thu, 2004-07-29 at 05:21, Chris Haynes wrote:
I think it may be necessary, when promoting SPF, to place a lot of emphasis
in
the need for domain administrations to update their processes and procedures
to
ensure that the SPF records are reviewed _every time_ there is any other DNS
change.
Would it be a good idea to extend the "Management" and "Sysadmin" sections of
spf.pobox.com with advice for adopters to update their processes and
procedures?
Excellent points and ideas.
However, in addition to the people involved changing their processes and
procedures to review spf records _every time_ there are changes, I
wonder if these reviews could *also* be partially automated:
1. I do virus checks on incoming mails, but I also do those very
same virus checks on *outgoing* mails. After all, why should
I let my MTA send emails that I wouldn't let that same MTA accept?
What about the spf case? Do any of the spf tools/milters let
you do spf checks on outgoing mails as well, so you can set up
your MTA so it refuses to send mails that would fail spf checks?
(This wouldn't catch all transient problems due to propagating DNS
changes, but at least for a good many problems, users and thus
sysadmins would get pretty quick notice of problems.)
Yes, this sounds like a silly sort of test to do, but it would
immediately catch a lot of organizational snafus that can occur
in the real world.
2. Anyone making GUI-ish or webmin-type tools could perhaps verify
on every MTA config change that the edited domain or configuration
wouldn't result in failures for outgoing mails. (Marketing types
would enjoy listing this sort of feature in feature-comparison
charts.)
From the point of view of a sysadmin, configuring systems so that (1) is
true and using admin tools where (2) is true can help you keep from
shooting yourself in the foot--or at least you'll more quickly be
notified of that fact when you do let it happen, usually. :-)
From the point of view of an MTA or MTA-related-tool author, (2) can
help you market your particular product.
And from the point of view of sysadmins and manager-types, having
official corporate guidelines of "be sure to double-check this, this,
and this", as Chris suggests, will make them not worry so much about
automated tools that don't catch every type of problem.
The advice in spf.pobox.com tends to read as if adopting SPF is a one-shot
activity.
I keep a flashlight in my car.
From time to time I'll notice it in the floor of the backseat, which
will just remind me that it's there, and I'll suddenly be all at ease
with the fact that if my car breaks down at night in the middle of
nowhere, that I'll be able to see clearly.
That is, until one day when I tried to use that same flashlight in a
non-emergency situation and realized that I hadn't replaced the
batteries in years.
Smoke detectors beep at you when their batteries run low. Flashlights
don't. While it makes a lot of sense to change all those batteries on
every shift to and from daylight savings time, it's nice if the tools
also alert you themselves when there are problems.
--
Mark Shewmaker
mark(_at_)primefactor(_dot_)com