...... Original Message .......
On Sat, 21 May 2005 23:46:09 +0100 Paul Ficinski
<spf(_at_)fairymouse(_dot_)com> wrote:
On Sat 2005-05-21 17:51:43, Scott Kitterman wrote:
-----Original Message-----
From: owner-spf-discuss(_at_)v2(_dot_)listbox(_dot_)com
[mailto:owner-spf-discuss(_at_)v2(_dot_)listbox(_dot_)com]On Behalf Of Paul
Ficinski
Sent: Saturday, May 21, 2005 9:12 AM
To: spf-discuss(_at_)v2(_dot_)listbox(_dot_)com
Subject: Re: [spf-discuss] Authentication vs. Authorization
<snip>
It should be made clear in wizards that senders should only take
responsibility for the systems that they actually do trust not to
forge
their mail. Systems they cannot trust to that extent should return
neutral. Common examples such as ISP smarthosts without SMTP auth
should be mentioned.
Zair
But don't forget that SMTP Auth doesn't particularly solve this
problem
either. Most, if not all, large commercial providers (ISPs, web
hosts, etc)
that use SMTP Auth, use it to authorize access to the MTA. They do
not
typically use it to authorize the use of specific mail identities.
The auth methodology doesn't matter so much (I could get much the
same
result with POP before SMTP), but that the method is configured not
only to
limit MTA access, but also to limit mail identities to those
authorized for
that user).
True, I don't know how I forgot that important detail. However it may
not be necessary in all cases: if there are no per user spf policies
and the mta serves only one domain and is configured to only allow
submissions using that domain then SMTP auth would be all that's needed
as all users would be using the same SPF record. Of course limiting
address spoofing on a per user benefit has it's own benefits.
Yes. I generally refer to this as the shared MTA problem. It makes it
tough to get an SPF pass if you don't operate a dedicated mail server.
Scott K