spf-discuss
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

moving on from MARID

2004-09-24 09:52:07
from [Meng Weng Wong] [Permanent Link] 
I suggest that we proceed under the working assumption that
the patent apps do not in fact cover SPF Classic.

I propose that we focus on developing and refining Unified
SPF, with the following main points:

1) Receivers should check all three identities:

  A) HELO hostname
  B) MAIL FROM return-path
  C) SUBMITTER if provided
  D) if checking is done after the DATA command, the PRA

I say "three identities" because C and D are really the same
thing according to the SUBMITTER spec, yet SUBMITTER can be
treated as a first-class identity in its own right.

2) Reputation systems are to be an integral component of
   Unified SPF.  We define a positive result as "the
   identity authenticates, AND the identity is recognized by
   the receiver at the policy level".  If any one of the
   identities returns a positive result, we let the message
   through.  If none of the identities returns a positive
   result, and an authentication or policy fail was detected
   for any one of them, we reject.  Otherwise, receiver
   systems can proceed with the usual gauntlet of antispam
   checks.

3) Forwarders are expected to send SUBMITTER if the
   receiving system supports it, so they can pass test C.
   Forwarders are also expected to put records on their HELO
   hostnames so they can pass test A.

The above points have the following implications.

4) Receivers SHOULD support the SUBMITTER extension.

5) If (a receiver supports the SUBMITTER extension
       AND none of the provided identities are recognized
      )
   THEN it MAY reject before DATA without examining PRA.

6) IF (a receiver supports the SUBMITTER extension
       AND the sender sent a SUBMITTER value
       AND the SUBMITTER value authenticates correctly with PASS
       AND the receiver recognizes the SUBMITTER (at the policy level)
      )
   THEN it SHOULD accept the message.

7) IF (a receiver supports the SUBMITTER extension
       AND the sender sent a SUBMITTER value
       AND the SUBMITTER value does not return an authentication PASS
      )
   THEN it SHOULD reject the message.

I obviously haven't enumerated all the cases, so please
ask...  I basically want to see a world where we respect the
SPF Classic auth rejections, but where we can "whitelist"
forwarders easily by HELO or by SUBMITTER, thus reducing the
need for SRS.

I have a prototype reputation system up and running so
punting tough questions in that direction is actually
allowed by the rules now.
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: Look at that patent application again, Holm, Mark
Next by Date:  Re: moving on from MARID, Meng Weng Wong
Previous by Thread:  confused !, Shoaib
Next by Thread:  Re: moving on from MARID, Meng Weng Wong
Indexes:  [Date] [Thread] [Top] [All Lists]