spf-discuss
[Top] [All Lists]

Re: Is SPF Authenication or Authorization?

2004-09-23 06:44:17
On Thu, 23 Sep 2004, Theo Schlossnagle wrote:

I agree.  SPF was never designed to make ISPs internally responsible.  It was
designed to prevent people outside their realm from using their domain in the
return path of messages.  The Ecelerity MTA supports restricting the
RFC2821.MailFrom (and even the RFC2822.From) based on SMTP AUTH information or
client SSL certs.  I think yu can jury-rig the same thing in Exim (and likely
others).  The technology is there, adoption is the challenge.

I would say that if it was painless, most ISPs would already be doing it.
However, it is a customer service nightmare to implement such a policy with
existing users.  Forcing new users into this paradigm is much easier.

My approach to this is to make it opt-in. Some users can continue as they
are, while others who opt for forgery protection get some benefits (no
collateral spam and unforgeable return path addresses) and restrictions
(message submission only via SMTP AUTH and my servers).
http://www-uxsup.csx.cam.ac.uk/~fanf2/hermes/doc/antiforgery/cam.txt

Once again making me glad I am not a large ISP -- building tools for this is
much better ;-)

I get to do both :-)

Tony.
-- 
f.a.n.finch  <dot(_at_)dotat(_dot_)at>  http://dotat.at/
RATTRAY HEAD TO BERWICK ON TWEED: NORTHWEST 5 TO 7, PERHAPS GALE 8 LATER NEAR
RATTRAY HEAD. SHOWERS. GOOD. SLIGHT OR MODERATE, BECOMING ROUGH NEAR RATTRAY
HEAD AND BERWICK.