On Tue, 5 Jul 2005, David Woodhouse wrote:
Humour me... assume I were to set up a forwarding address
stuart(_at_)infradead(_dot_)org which was forwarded to you. What IP addresses
would
you list for it?
Or suppose you bought a domain from (...googles...)
http://www.yourdomainhost.com/ and used their email forwarding service.
What IP addresses would you list for _that_?
You'd check to see if they have SPF record and whitelist those ip address
for specific user. The system is then that:
1. Check SPF (after MAIL FROM if you want, but don't give a 500 error
code then until RCPT TO)
2. If SPF is fail, at RCPT TO check if user is on local SPF check
exception list, if not give 500 fail at RCPT TO and close SMTP session
3. If user has spf exception check if he lists forwarding systems and
their domains. If so go through and verify if SPF is pass but using
those forwrding system domains (instead of MAILFROM) and SMTP client ip.
If any of them is pass, then proceed to DATA. If all of them is fail,
then give 500 fail.
If info about ip addresses of forwarding system is not available, then
forget about step 3 and for such user proceed to DATA even with SPF fail.
Right. You don't care if the largest mail providers aren't using SPF,
because there are viable alternatives which _do_ work properly in the
real world and provide largely the same benefits which SPF purports to
offer. So it doesn't matter that many people can't use SPF.
The alternatives require heavier changes to originating mail systems
and most alternatives work on message data and can not allow quick
rejection of bad mail at the SMTP session. We need to protect both
SMTP session and message data and content.
--
William Leibzon
Elan Networks
william(_at_)elan(_dot_)net