spf-discuss
[Top] [All Lists]

Re: Is SPF Authenication or Authorization?

2004-09-22 14:51:26
Dave Crocker wrote:

On Wed, 22 Sep 2004 00:34:17 GMT, Mark wrote:

 Exactly. That was my point all along. :) In fact, under SPF
 "classic" there is no guarantee that MAIL FROM is actually an
 existing address, even! Much less authenticated, at that.

Let's see.  SPF requires on-going infrastructure-level
administration, since it registers MTA IP Addresses.  SPF also
requires changes in relaying and forwarding behavior, for a number of
scenarios.  And lastly, SPF is stated to be intended to prevent
phishing.

Phishing is about spoofed addresses.

Yet you say that the mailfrom might still be invalid?

Uh, yeah. :) Since the MTA is a shared resource, the "local" (LHS) part of the email address is also shared; hence, a variable. And unless you tie the 2821 entity to the SASL/otherwise AUTH info, there is no telling which of your users actually sent the message. It has been like that since day one.

There is no reason to exaggerate this "spoofing", though, as the extent is only local. Simply put: only users on your system can set their address to another user of that system (or likely an non-existing, local user even), as they are the only ones who have access to your MTA. And there is no way for you, or anyone else, for that matter, to know about this spoofing even, unless you took measures like I described above.

SPF will stop third-party spoofing of mailfrom addresses using your domain name. That is, in reality, probably the most important thing. A local user setting his email address to that of another local user, well, if he abuses his account, you can always yank it. :)

From the receiving end, using only SPF on both sides, the recipient can be
absolutely certain that the sender is authorized to use your domain name(s); the only thing he cannot be sure of, is which of your local users it actually is.

- Mark

       System Administrator Asarian-host.org

---
"If you were supposed to understand it,
we wouldn't call it code." - FedEx