spf-discuss
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: How useful are per-user policies?

2005-05-04 08:46:34
from [Philip Gladstone] [Permanent Link] 


Radu Hociung wrote:

Philip Gladstone wrote:



Radu Hociung wrote:



Perhaps you can come up with a practical use of %{l} that makes sense in
the real world?



For example, on my domain, I have (amongst other things)
'-exists:%{l}.users.%{d}'

I have a stunt DNS server that returns a TXT record for all users that
*do not exist*. This simple rule catches a nuch of stuff. It also allow
my valid users to send from anywhere. Yes, it doesn't lock things down
completely -- I have other entries that do that.



But why would the mail servers specified in the other parts of the
policy send mail from users that don't exist in your domain?

If mail is sent from a non-existent user from a non-authorized IP, the
-all takes care of that.
Writing SPF records is a balance between 'not denying legitimate mail' and 'denying illegitimate mail'. You will *never* acheive a policy that has no false positives and no false negatives.
My current policy is fairly liberal and ends with a ~all. I wanted to allow everything that was probably good. This means that I can only deny stuff that is guaranteed to be bad. This fragment above has no false positives. The address '<root(_at_)gladstonefamily(_dot_)net>' will never send mail to anyone.
If I look at my records, I see people forging mail from a variety of local parts.
I think that your assumption is that you can tightly specify the list of mail servers. I have not chosen that approach. The beauty of SPF is that individual administrators can choose the policies that make sense for them. Further, they can modify their policies at any time. They can make them more or less restrictive. 

I like %{l} (actually, I like   %{l1r-}  ).

Philip

-------
Sender Policy Framework: http://spf.pobox.com/
Archives at http://archives.listbox.com/spf-discuss/current/
Read the whitepaper!  http://spf.pobox.com/whitepaper.pdf
To unsubscribe, change your address, or temporarily deactivate your subscription, please go to http://v2.listbox.com/member/?listname=spf-discuss(_at_)v2(_dot_)listbox(_dot_)com

Attachment: smime.p7s
Description: S/MIME Cryptographic Signature

[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: HELO versus MAILFROM results, Alex van den Bogaerdt
Next by Date:  Re: HELO versus MAILFROM results, wayne
Previous by Thread:  Re: How useful are per-user policies?, Radu Hociung
Next by Thread:  Re: How useful are per-user policies?, Frank Ellermann
Indexes:  [Date] [Thread] [Top] [All Lists]