On Thu, 17 Mar 2005, at 08:52, william(at)elan.net wrote:
On Thu, 17 Mar 2005, Todd Herr wrote:
For example, a customer may send email from
"joe(_at_)austin(_dot_)rr(_dot_)com":
# dig +sho austin.rr.com txt
"v=spf1 redirect=texas.rr.com"
# dig +sho texas.rr.com txt
"v=spf1 ip4:24.93.47.0/24 ip4:24.28.204.15 ip4:24.28.204.16 +mx ~all"
Looks good. I do hope your austin.rr.com customers don't travel much
beyond Texas on your net or when they do they send email back through
texas.rr mail servers...
We currently offer both Webmail and remote dialin access to
customers who are away from their cable modems. Email sent while
connected through either of these methods will traverse the same
servers as if the customer were at home.
i.e. what do you do when customer from Texas moves to say California, is
he allowed keep his old email account as he would with most other ISPs?
I don't know the answer to this. Road Runner is a service sold
by 40-odd decentralized Time Warner Cable local franchises; "our"
customers are actually the customers of the local cable
franchises. The email accounts are included as part of the cable
internet service; they're not billed separately. I would guess
that if one were to move from one Time Warner Cable franchise
footprint to another, one would have to change email addresses,
but I won't say for certain that this is the case.
Also each actual mail server should also
have its own spf record and those should be specific (they are used
for HELO checks).
Our inbound servers, which would send bounces (yes, I know;
accept-then-bounce is bad; we're working on a solution to that
problem) each have their own SPF record, all of which are:
"v=spf1 a -all"
Our inbound servers are all collected in the DNS domain
mgw.rr.com, a domain from which customers will never send email.
Are you saying here that our outbound servers (not collected in
any one particular domain) also require SPF records?
The first question to ask is if your outbound mail servers ever send email
with null mail-from? If they do (i.e. if they allow customers to do it and
don't modify it), the answer is definetly yes. Next even if they dont if
you look at latest Wayne's SPF draft you'll find that HELO checks are
optional but can be done no matter if MAIL-FROM is null or not (and some
do it already), that suggests that you should consider adding SPF records
to all outbound mail servers anyway.
We'll have to explore this issue further. We already have issues
with how our SMTP servers HELO (at least some of them)
--
Todd Herr
Senior Security Policy Specialist/Postmaster V: 703.345.2447
Time Warner Cable IP Security M: 571.344.8619
therr(_at_)security(_dot_)rr(_dot_)com AIM:
RRCorpSecTH