On Wed, Sep 29, 2004 at 01:18:49PM -0700, william(at)elan.net wrote:
|
| Next comes Mail-From which is what SPF Classic is all about and what most
| on this list seems most interested in. As I noted, it fails with forwarders
| and people want a way out of this situation to be able to whitelist every
| forwarder. The proposal to allow MAIL-From through if either HELO or
| SUBMITTER check is ok is unfortunetly not sufficiently bullet-proof, it is
| simply too easy for bad guy to just use some other domain that he controls
| (maybe a through-away domain that is immediatly given up) to bypass this
| kind of setup. Besides that as you quickly would note the HELO and SUBMITTER
| should verify no matter what mail-from does so making mail-from dependent
| on buys you nothing.
This is the #1 most common misunderstanding of Unified SPF.
People seem to think:
wrong: an auth pass for HELO or SUBMITTER
wrong: overrides
wrong: an auth fail for MAIL-FROM
I would like to emphasize that the above text, indicated by
"wrong", is wrong.
right: an auth+policy pass for HELO or SUBMITTER
right: overrides
right: an auth fail for MAIL-FROM.
The "policy" component is required: it means that the
receiver must have chosen to trust the HELO or SUBMITTER.
The requirement that "policy" must pass keeps out the bad guys.
People seem to have a real hard time thinking in two
dimensions (auth + policy) rather than just one (auth
alone).