spf-discuss
[Top] [All Lists]

Re: Authentication vs. Authorization

2005-05-21 15:46:09
On Sat 2005-05-21 17:51:43, Scott Kitterman wrote:
-----Original Message-----
From: owner-spf-discuss(_at_)v2(_dot_)listbox(_dot_)com
[mailto:owner-spf-discuss(_at_)v2(_dot_)listbox(_dot_)com]On Behalf Of Paul 
Ficinski
Sent: Saturday, May 21, 2005 9:12 AM
To: spf-discuss(_at_)v2(_dot_)listbox(_dot_)com
Subject: Re: [spf-discuss] Authentication vs. Authorization

<snip>

It should be made clear in wizards that senders should only take
responsibility for the systems that they actually do trust not to
forge
their mail. Systems they cannot trust to that extent should return
neutral. Common examples such as ISP smarthosts without SMTP auth
should be mentioned.

Zair

But don't forget that SMTP Auth doesn't particularly solve this
problem
either.  Most, if not all, large commercial providers (ISPs, web
hosts, etc)
that use SMTP Auth, use it to authorize access to the MTA.  They do
not
typically use it to authorize the use of specific mail identities.

The auth methodology doesn't matter so much (I could get much the
same
result with POP before SMTP), but that the method is configured not
only to
limit MTA access, but also to limit mail identities to those
authorized for
that user).

True, I don't know how I forgot that important detail. However it may 
not be necessary in all cases: if there are no per user spf policies 
and the mta serves only one domain and is configured to only allow 
submissions using that domain then SMTP auth would be all that's needed 
as all users would be using the same SPF record. Of course limiting 
address spoofing on a per user benefit has it's own benefits.

Zair

-- 
Paul Ficinski
spf(_at_)fairymouse(_dot_)com


<Prev in Thread] Current Thread [Next in Thread>