Hi !!
you are assuming that there is plenty of roaming users that do not use
their central smtp server which is wrong.
I don't think so David. You may have experince of that, but I suggest there
are a significant number of people who are roaming users and who send mail
from whatever server they can get onto, i.e. a different dial-up ISP.
maybe we have to get access real statistics to continue. In any case
there is no reason why a user must use his dial-up isp relay to send
mail as there are standarized ways to allow them to send mail from
his domain mta. In the other hand letting users use any mta to send
mail in behalf of my domain opens my domain to all sort of forgeries
(as that extern mta's security is out of my control).
That's ok if they have a connection from a reasonable ISP - some ISP's block
the use of mail services other than their own.
yes, but port 587 is just for that cases, and this port is never blocked.
But the whole point is that you're suggesting SES is the way forward to
authenticate e-mail senders, so it *will* be forced on people, if it became
a standard.
i'm not pretending to suggest this, i only suggest that ses is better
than srs to solve the forwarding problem, so it will be forced just for
people publishing spf records with -all
SRS just isn't going to happen - given the amount of infrastructure that
will need patching/modifying. SES looks better, if the roaming user could
be more easily accomodated.
maybe the problem is how roaming users use mta's:
a) if they run it's own mta, they either ses should be disabled for
their account or they must run their own validation service or they
must send their keys to the mta admin
b) if they use other isp's mta then i will suggest either to disable ses
for that users or force them to use my mta. Having people being able
to use any mta also has problems with spf, you need to make a very
good configuration on the spf record to just allow certain ip
addresses to send mail in behalf of (just only) the roaming user
that will be using that ip, unless you want all your domain exposed
to forgery. In the other hand, there is little chance that the
extern mta will make proper checks to ensure that the roaming user
will only be able to use it's own address (i seen some mta's allowing
any kind of relaying to any auth user). So if you want to have total
control about your domain's security it will be better to have all
of your users use your own mta's. This is by far, easier than any
other solution.
--
BEst regards ...
It's a fine line between fishing & standing still
----------------------------------------------------------------
David Saez Padros http://www.ols.es
On-Line Services 2000 S.L. e-mail david(_at_)ols(_dot_)es
Pintor Vayreda 1 telf +34 902 50 29 75
08184 Palau-Solita i Plegamans movil +34 670 35 27 53
----------------------------------------------------------------