At 10:39 AM 6/28/2005 -0500, Daniel Taylor wrote:
David MacQuigg wrote:
> At 10:15 PM 6/27/2005 -0700, Greg Connor wrote:
>> The edge mailers are not smart enough to process SPF yet. (Actually
>> an SPF switch exists but their implementation is known to have some
>> problems and can't be adjusted, whitelisted, etc. This is an
>> appliance box.) Most important, their implementation of SPF doesn't
>> allow for logging only, the only choice is to reject.
>
>
> This raises a serious question - If many domains use these "appliance
> boxes" as their border MTAs, how can we expect *any* IP authentication
> method to work? Are we expecting these appliances to be replaced by
> general-purpose MTAs? I assume there is no chance of modifying their
> proprietary software.
>
> ...
>
The border MTA is the one that needs to do the check for best effect.
However: if the border MTA provides useful Received-From headers
they can be used for post-SMTP verification. This is sub-optimal
in so many ways, but is better than nothing I suppose.
This seems like a possible temporary work-around, at least until all the
appliances get updated to provide some kind of standard authentication
interface, e.g. an API to call a plugin with all session identities and the
connecting IP.
Are any of the current SPF-enabled MTAs able to pick up the required info
from a specified Received header? This might be tricky if there are a lot
of variations in the Received headers from various gonzo
appliances. Another good reason for a standard authentication header -
make all the appliances look like just another trusted forwarder.
--
Dave
************************************************************ *
* David MacQuigg, PhD email: david_macquigg at yahoo.com * *
* IC Design Engineer phone: USA 520-721-4583 * * *
* Analog Design Methodologies * * *
* 9320 East Mikelyn Lane * * *
* VRS Consulting, P.C. Tucson, Arizona 85710 *
************************************************************ *