Mark wrote:
Dave Crocker wrote:
well, as long as the threat is limited to the few (1?, 10? 70?)
millions of users that share my ISP's MTA, I guess that's ok.
Do I detect a hint of sarcasm? :) Seriously, though, I look upon these
things in terms of phases. We're in a transitional phase now, where
ISP's are encouraged to start enforcing the use of SMTP AUTH. Once
that process has completed, or largely so, AUTH info could be used to
do forced address rewriting. We're not there yet, though. For now, SPF
will already stop foreign parties from spoofing your domain name; that
is not bad.
I agree. SPF was never designed to make ISPs internally responsible.
It was designed to prevent people outside their realm from using their
domain in the return path of messages. The Ecelerity MTA supports
restricting the RFC2821.MailFrom (and even the RFC2822.From) based on
SMTP AUTH information or client SSL certs. I think yu can jury-rig the
same thing in Exim (and likely others). The technology is there,
adoption is the challenge.
I would say that if it was painless, most ISPs would already be doing
it. However, it is a customer service nightmare to implement such a
policy with existing users. Forcing new users into this paradigm is
much easier.
Once again making me glad I am not a large ISP -- building tools for
this is much better ;-)
--
// Theo Schlossnagle
// Principal Engineer -- http://www.omniti.com/~jesus/
// Postal Engine -- http://www.postalengine.com/
// Ecelerity: fastest MTA on Earth