Re: Is SPF Authenication or Authorization?
2004-09-22 14:51:26
Dave Crocker wrote:
On Wed, 22 Sep 2004 00:34:17 GMT, Mark wrote:
Exactly. That was my point all along. :) In fact, under SPF
"classic" there is no guarantee that MAIL FROM is actually an
existing address, even! Much less authenticated, at that.
Let's see. SPF requires on-going infrastructure-level
administration, since it registers MTA IP Addresses. SPF also
requires changes in relaying and forwarding behavior, for a number of
scenarios. And lastly, SPF is stated to be intended to prevent
phishing.
Phishing is about spoofed addresses.
Yet you say that the mailfrom might still be invalid?
Uh, yeah. :) Since the MTA is a shared resource, the "local" (LHS) part of
the email address is also shared; hence, a variable. And unless you tie the
2821 entity to the SASL/otherwise AUTH info, there is no telling which of
your users actually sent the message. It has been like that since day one.
There is no reason to exaggerate this "spoofing", though, as the extent is
only local. Simply put: only users on your system can set their address to
another user of that system (or likely an non-existing, local user even), as
they are the only ones who have access to your MTA. And there is no way for
you, or anyone else, for that matter, to know about this spoofing even,
unless you took measures like I described above.
SPF will stop third-party spoofing of mailfrom addresses using your domain
name. That is, in reality, probably the most important thing. A local user
setting his email address to that of another local user, well, if he abuses
his account, you can always yank it. :)
From the receiving end, using only SPF on both sides, the recipient can be
absolutely certain that the sender is authorized to use your domain name(s);
the only thing he cannot be sure of, is which of your local users it
actually is.
- Mark
System Administrator Asarian-host.org
---
"If you were supposed to understand it,
we wouldn't call it code." - FedEx
<Prev in Thread] |
Current Thread |
[Next in Thread>
|
- Re: Is SPF Authenication or Authorization?, (continued)
- Re: Is SPF Authenication or Authorization?, Dave Crocker
- Re: Is SPF Authenication or Authorization?, Mark
- Re: Is SPF Authenication or Authorization?, Stuart D. Gathman
- Re: Is SPF Authenication or Authorization?, Alex van den Bogaerdt
- Re: Is SPF Authenication or Authorization?, Meng Weng Wong
- Re: Is SPF Authenication or Authorization?, Alex van den Bogaerdt
- Re: Is SPF Authenication or Authorization?, Steve Meyers
- Re: Is SPF Authenication or Authorization?, Meng Weng Wong
- Re: Is SPF Authenication or Authorization?, Mark
- Re: Is SPF Authenication or Authorization?, Dave Crocker
- Re: Is SPF Authenication or Authorization?,
Mark <=
- Re: Is SPF Authenication or Authorization?, Dave Crocker
- Re: Is SPF Authenication or Authorization?, Mark
- Re: Is SPF Authenication or Authorization?, Theo Schlossnagle
- Re: Is SPF Authenication or Authorization?, Tony Finch
- RE: Is SPF Authenication or Authorization?, Scott Kitterman
- Re: Is SPF Authenication or Authorization?, Alex van den Bogaerdt
- Re: Is SPF Authenication or Authorization?, Ralf Doeblitz
- Is SPF Authenication or Authorization?, Roger Moser
- Re: Is SPF Authenication or Authorization?, Dave Crocker
RE: Is SPF Authenication or Authorization?, Hallam-Baker, Phillip
|
|
|