"Julian Mehnle" <bulk(_at_)mehnle(_dot_)net>
Thursday, January 06, 2005 9:10 PM
I meant:
1. Notice the SMTP-AUTH identity. See if MAIL FROM matches the
SMTP-AUTH
identity. If not, reject the MAIL FROM.
2. Notice the SMTP-AUTH identity. See if MAIL FROM matches the
SMTP-AUTH
identity. If not, simply override MAIL FROM with an e-mail address
that is appropriate for the SMTP-AUTH identity.
Thanks for correcting me.
Hector Santos
Friday, January 07, 2005 6:04 AM
Allow me to correct you again! :-)
Once an SMTP AUTH session is established, everthing else is MUTE!
SPF does
not apply.
On Fri, 7 Jan 2005, Scott Kitterman wrote:
I believe that you are talking about different ends of the process.
...
It isn't part of SPF, but I believe it's definitely something SPF has an
interest in. If we make domain owners aware of the issue as they deploy SPF
records, I believe that they will create the market pressure for this added
layer of forgery protection. I don't care how the MTA operators do it, just
that they do.
Scott beat me to the punch, but let me second the thought. I think Hector is
misunderstanding the context here. The idea is NOT that MSAs should use SPF.
The point we were discussing, based on context earlier in the thread, was
whether the domain owner should use + or ? when referring to his ISPs
dedicated MTAs.
The sending ISP really should use SMTP AUTH and best practices to assure that
each user is using the email addresses he really owns, and not forging other
people's addresses. Most ISPs don't do that - they just assume that a valid
password is carte blanche to send any mail, spoofed or not. *this has nothing
to do with installing SPF on those MSAs!* We all agree that SPF is
inappropriate for this use.
In fact, we don't even need most ISPs to support SPF before it starts becoming
effective. All we need for ISPs to do is to practice good security and not
allow spoofing.
My feeling is: Whether the MSAs practice good security, and whether they have
existing spam problems, and whether they react quickly to complaints, all
should be factors when domain owners are deciding to give "pass" results to
all outgoing mail from that ISP. The domain owner should feel reasonably
confident that zombies or malicious users at the same ISP aren't going to
spoof mail. The domain owner should ask if other users of the same server are
prevented from using his domain. The domain owner should accept
responsibility if he decides to give a "pass" result from his ISPs outgoing
MTA and it later gets abused. We all need to explain this issue coherently to
domain owners so that they can make an informed decision and ask the right
questions of their ISP.
--
Greg Connor
gconnor(_at_)nekodojo(_dot_)org
Everyone says that having power is a great responsibility. This is a lot
of bunk. Responsibility is when someone can blame you if something goes
wrong. When you have power you are surrounded by people whose job it is
to take the blame for your mistakes. If they're smart, that is.
-- Cerebus, "On Governing"