spf-discuss
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: spf

2005-04-14 07:03:59
from [Terry Fielder] [Permanent Link] 


Andrew Gutkowski wrote:

How does SPF work with ISPs who require users to send all SMTP mail
through the ISPs servers, even users whose accounts are with other email
providers?
That is an irresponsible request. If they want all University related email to go through the University email servers, so be it. If they want all the person's email to go through the Universities email, then they are violating their people's privacy rights. And freedom of speech. And common sense. 

But politics aside:
The bottom line is, if they insist that every email the user sends go through the Universities SMTP servers, then that is equivalent to saying: 1) The user must only send email using their University email account (e.g. SMTP AUTH) 
OR
2) The users other email service must allow emails for their domain to originate from the University ---> this is unmaintainable (too many other ISP's, assuming the university has more then a handful of people) ---> this is irresponsible (it would force the ISP's to allow people from the university to forge email from the ISP's domain)
Therefore the only solution is #1, and see the statement about politics above. 

   For example,  we are a college in PA.  One of the local

ISPs requires our off-campus students who are on their network using our
email or any email account to send email through the ISPs smtp servers.
Which is perfectly reasonable, many ISP's do this responsibly so they can detect and shut down zombies.
And with or without SPF there is *nothing* the University can do (legally anyway) to prevent the ISP from forcing the users to use the ISP's mail servers. So the University has lost their (very, *very*) bad policy already. (Have I mentioned SMTP AUTH yet? :) 


If this would go to an smtp server which was doing SPF lookups, they
would lookup our SPF records in DNS and we do not have this external
SMTP server listed.
Now you are talking about something different: The offsite user sending email from a NON university account but pretending (aka forging) the email is coming from their University email account. 

Not good.
Set the "Reply To" to be the university account, or the 2822 address to be the University account (if your MUA allows and your ISP SMTP doesn't override). Or use SMTP AUTH to make the email actually originate from the Universities email servers. 


We can't possibly list all ISPs which our students
might use to send email. 
Agreed.


Should we contact the ISP and request that
they no longer restrict smtp leaving their network?

Go ahead.  And I hope they tell you to take a hike, and they probably will.


It becomes an even
bigger problem because other ISPs around the world do the same thing and
we have no idea if our students are using any of these ISPs to send
mail.
Name one. In fact name which University in PA is doing this. I would like to research what the actual wording of the regulation is, there may be some misinterpretation, because as stated above it doesn't make sense. Despite law changes after 9/11 the US is still a (mostly) free country, so I find it hard to believe a place of higher education would actually try to do what is stated above. But maybe "higher" is subjective. :) 



If someone could please clear up the confusion or explain to me what to
do in this situation, it would be greatly appreciated.
If you want to allow your University to (invade your privacy or whatever motivation and) force all emails from you to anyone to go through their mail servers use SMTP AUTH to make the emails originate from the Universities mail servers. That's what SMTP AUTH is for.
If you want to try to enforce the University rules of all emails from the person must be sent through the University: good luck, but you'll probably fail, and I hope you do fail. 


Terry



Thanks!

Andrew Gutkowski
CNA, MCP, Network+, A+
Systems Administrator
Pennsylvania College of Technology
One College Avenue
Williamsport, PA 17701
agutkows(_at_)pct(_dot_)edu
570-329-4918 phone
570-321-5554 fax

-------
Sender Policy Framework: http://spf.pobox.com/
Archives at http://archives.listbox.com/spf-discuss/current/
Read the whitepaper!  http://spf.pobox.com/whitepaper.pdf
To unsubscribe, change your address, or temporarily deactivate your subscription, please go to http://v2.listbox.com/member/?listname=spf-discuss(_at_)v2(_dot_)listbox(_dot_)com 



--
Terry Fielder
terry(_at_)greatgulfhomes(_dot_)com
Associate Director Software Development and Deployment
Great Gulf Homes / Ashton Woods Homes
Fax: (416) 441-9085
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: DNS Loading Comparison, Hector Santos
Next by Date:  Re: spf, Alex van den Bogaerdt
Previous by Thread:  Re: spf, Alex van den Bogaerdt
Next by Thread:  Re: spf, Alex van den Bogaerdt
Indexes:  [Date] [Thread] [Top] [All Lists]