spf-discuss
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: Re: Unified SPF Algorithm

2004-10-03 15:53:11
from [Greg Connor] [Permanent Link] 


--Frank Ellermann <nobody(_at_)xyzzy(_dot_)claranet(_dot_)de> wrote:


Meng Weng Wong wrote:


People seem to think:



wrong:  an auth pass for HELO or SUBMITTER
wrong:  overrides
wrong:  an auth fail for MAIL-FROM



I would like to emphasize that the above text, indicated by
"wrong", is wrong.



right:  an auth+policy pass for HELO or SUBMITTER
right:  overrides
right:  an auth fail for MAIL-FROM.



The "policy" component is required: it means that the
receiver must have chosen to trust the HELO or SUBMITTER.


After my long list of NAKs to your attempted murder of v=spf1
here's finally something where I fully agree.  Reading "WL"
instead of "policy", but that's probably what you mean (?)



I agree with this as well.



I still don't see where SUBMITTER is really necessary in this
concept.  An SPF-tested HELO found in a local white list, why
isn't that good enough for forwarding scenarios ?  It's very
similar to trusted-forwarder.org, only better.  Where's the
added value of SUBMITTER ?  The SUBMITTER stuff changes SMTP,
it works only for new MTAs.  The HELO solution works with all
MTAs supporting v=spf1 resp. spf2.0/mfrom, and that's all you
need as forwarder.  If an MTA doesn't support SPF, then you
need no tricks to overrule an spf2.0/mfrom FAIL.  Bye, Frank



Here is one theoretical/hypothetical case.
1. pobox.com is my forwarder. pobox.com will process my incoming mail and forward it to my real address with SUBMITTER=gconnor(_at_)pobox(_dot_)com 
2. pobox.com also sends mail out, on behalf of its customers.
3. Cases 1. and 2. might use the same outgoing gateway.
Therefore, I want to whitelist only mail that was intended for me and forwarded on my behalf, and other mail coming from the same HELO (outgoing, not forwarded) doesn't necessarily merit whitelisting. In other words, I am paranoid, so I don't trust ALL mail pobox.com sends, but I do trust them to only set SUBMITTER=gconnor(_at_)pobox(_dot_)com if they are actually forwarding for me.
Not all forwarders will use SUBMITTER, but we could allow them an extra method in case they want it.
Now, I'm not saying it's a high priority, but I would rather err on the side of giving folks options, even if I can't 100% prove they will use them. 


--
Greg Connor <gconnor(_at_)nekodojo(_dot_)org>
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: BBC coverage of SPF, Frank Ellermann
Next by Date:  RE: Why I think we should tolerate compatibility with PRA., John Glube
Previous by Thread:  Re: Unified SPF Algorithm, Frank Ellermann
Next by Thread:  Re: Unified SPF Algorithm, Frank Ellermann
Indexes:  [Date] [Thread] [Top] [All Lists]