On Sat, 2004-12-04 at 06:17, Frank Ellermann wrote:
Maintaining whitelists is a hassle
Many MTAs doing SPF checks probably need it. A very simple
case is a secondary MX forwarding all received stuff to the
primary MX, the primary MX must white-list its secondary MX.
Or if your MX is also an MSA you have to "white-list" your own
authenticated users (not really, but somehow you don't use SPF
tests against your own users, it's like an implicit white list)
Setting up authorization between primary and secondaries is part of
setting up primaries and secondaries, and in most cases falls under a
single administrative area of control (or close ties between sites). An
MSA and its authorized authenticated users also falls under a single
administrative area of control. The problem with forwarding is not
forwarding within an organization, it's re-injecting the mail back into
the Internet. Primaries and secondaries and authorized users are not an
ad-hoc setup. Users don't just show up and say "I designated
examplesecondary.remote.com as a secondary for example.com and the mail
is not coming through" (because, by definition, _users_ can not do
that). Forwarding usually is ad-hoc and based on the whims of the
users. But I get what you are saying. Pushing the job of whitelisting
on to the users helps distribute the hassle (but not the help-desk
requirements, heh) of it. But even if it isn't on the users -- is it
reasonable to expect big email providers will have what amounts to B2B
help desks for getting mutual trust relationships setup?
"Hello, big-email-and-internet-service-provider.com? This is
the postmaster of smallisp.example.com. I have a user who wants
to forward all their mail from their account here to their new
account with you guys. I need you to whitelist me."
"Yeah, right."
or
"Go to this website, download the forms, print them out in
triplicate, fill them out, and mail them to our offices. You'll
hear from us in three to six weeks."
or
"Postmaster? Please deliver all mail to the mailroom in
building 7."
I, for one, wouldn't want to blindly whitelist big free email providers
for my entire site -- it is only slightly better when done on a per-user
basis. How do you get users to understand that by whitelisting
big-free-email-provider-spammer-haven.com puts them at risk and that
this is most likely a risk they don't want to have to deal with
(especially if you've been burned by them before)?
Andy.