-----Original Message-----
From: owner-spf-discuss(_at_)v2(_dot_)listbox(_dot_)com
[mailto:owner-spf-discuss(_at_)v2(_dot_)listbox(_dot_)com]On Behalf Of David
Sent: Friday, November 12, 2004 2:40 AM
To: spf-discuss(_at_)v2(_dot_)listbox(_dot_)com
Subject: Re: [spf-discuss] SRS/SES mailing lists?
Hi !!
you are assuming that there is plenty of roaming users that
do not use
their central smtp server which is wrong.
I don't think so David. You may have experince of that,
but I suggest there
are a significant number of people who are roaming users
and who send mail
from whatever server they can get onto, i.e. a different
dial-up ISP.
maybe we have to get access real statistics to continue. In any case
there is no reason why a user must use his dial-up isp relay to send
mail as there are standarized ways to allow them to send mail from
his domain mta. In the other hand letting users use any mta to send
mail in behalf of my domain opens my domain to all sort of forgeries
(as that extern mta's security is out of my control).
That's ok if they have a connection from a reasonable ISP -
some ISP's block
the use of mail services other than their own.
yes, but port 587 is just for that cases, and this port is
never blocked.
But the whole point is that you're suggesting SES is the
way forward to
authenticate e-mail senders, so it *will* be forced on
people, if it became
a standard.
i'm not pretending to suggest this, i only suggest that ses is better
than srs to solve the forwarding problem, so it will be
forced just for
people publishing spf records with -all
SRS just isn't going to happen - given the amount of
infrastructure that
will need patching/modifying. SES looks better, if the
roaming user could
be more easily accomodated.
maybe the problem is how roaming users use mta's:
a) if they run it's own mta, they either ses should be disabled for
their account or they must run their own validation
service or they
must send their keys to the mta admin
b) if they use other isp's mta then i will suggest either to
disable ses
for that users or force them to use my mta. Having people
being able
to use any mta also has problems with spf, you need to make a very
good configuration on the spf record to just allow certain ip
addresses to send mail in behalf of (just only) the roaming user
that will be using that ip, unless you want all your
domain exposed
to forgery. In the other hand, there is little chance that the
extern mta will make proper checks to ensure that the roaming user
will only be able to use it's own address (i seen some
mta's allowing
any kind of relaying to any auth user). So if you want to
have total
control about your domain's security it will be better to have all
of your users use your own mta's. This is by far, easier than any
other solution.
Is there a good reason why average users cannot use SMTP AUTH over port 587?
I have heard arguments about forwarding, but:
-the vast majority of users do not use forwarding
-those that do use forwarding usually are better equipped techincally to deal
with key distribution
issues (because they are technical themselves or their IT that did the
forwarding for them are
technically adept)
Terry Fielder
Manager Software Development and Deployment
Great Gulf Homes / Ashton Woods Homes
terry(_at_)greatgulfhomes(_dot_)com
Fax: (416) 441-9085
--
BEst regards ...
It's a fine line between fishing & standing still
----------------------------------------------------------------
David Saez Padros http://www.ols.es
On-Line Services 2000 S.L. e-mail david(_at_)ols(_dot_)es
Pintor Vayreda 1 telf +34 902 50 29 75
08184 Palau-Solita i Plegamans movil +34 670 35 27 53
----------------------------------------------------------------
-------
Sender Policy Framework: http://spf.pobox.com/
Archives at http://archives.listbox.com/spf-discuss/current/
http://www.InboxEvent.com/?s=d --- Inbox Event Nov 17-19 in
Atlanta features SPF and Sender ID.
To unsubscribe, change your address, or temporarily
deactivate your subscription,
please go to
http://v2.listbox.com/member/?listname=spf-discuss(_at_)v2(_dot_)listbox(_dot_)com