On Tue, 5 Jul 2005, David Woodhouse wrote:
That's neatly sidestepping the problem. Assume you're running an ISP and
I'm one of your customers. You have started using SPF so you've mailed
all your customers and told them that they have to whitelist their
forwarders if they don't want you to start throwing away their valid
mail. I'm calling your support line and asking you how to do it...
I would only purchase a forwarding service that at a minimum publishes
SPF with -all so that I would not have to list IPs.
Sounds like you I'd be looking for a new ISP then, if you're going to
tell me I should do that.
Ok, I'll bite. I am running a big ISP, and I've provided a nice friendly
UI for users to list their forwarders, and even lets them put in a local
"SPF" record for forwarders that don't publish. I've informed my users that
they can opt-in to a feature that will reduce the forged mail they receive
by rejecting mail that fails SPF. You are one of my users, and you
want to know how to list a forwarder.
You: So how do I list a forwarder?
Me: Just put in their domain.
You: How do I find out what their domain is?
Me: It is the domain they send forwarded mail from.
You: But how do I know what that is?
Me: Have you tried asking them?
You: No, I'll try that.
1 day later:
You: Ok, I called JoesForwarding, and they didn't understand my
question at first, but eventually, after a big run around, they
said they send mail from servers named smtpX.joesforwarding.com,
where X can be any number.
Me: Hmm, I see that joesforwarding does not publish an SPF record.
You'll have to use the advanced feature on your forwarder configuration
screen, and put in an SPF record for them until they publish.
You: What's an SPF record?
Me: Just put in this in the advanced tab for joesforwarding.com: "ptr -all"
That says that mail forwarded by joes always comes from an IP with
a PTR name ending in joesforwarding.com. You don't need to know
what that means, and when Joe eventually publishes official SPF records, our
system will use those instead.
You: What would happen if I just listed joesforwarding.com as a forwarding
domain, without the magic voodoo you gave me in the advanced tab?
Me: It would still work. When a forwarder has no SPF record, we
use a "best guess" of "a mx ptr ?all". This would match joesforwarding.com
also, but is less efficient. Furthermore, the ?all would mean that you could
still get email that claims to be forwarded by joesforwarding but is actually
forged.
You: Interesting. Where can I find out more about SPF records?
Me: goto www.openspf.org, and look at the tutorial.
If the forwarding service does not implement SRS, then I would simply
use their SPF record to whitelist the forward:
If RCPT TO == forward target and SPF fail, then
replace MAIL FROM with forwarded alias,
accept mail if that passes
Which record? The set of hosts which they use for their own outgoing
mail from hostingco.com may bear no relation to the IP addresses used on
outgoing connections from their hosted servers.
Exactly. That is what an SPF record is for. That is why we need SPF:
to list sets of hosts which may bear no relation to anything else.
Even if the forwarding service doesn't publish SPF, I could still use
them if I could guess a reasonable enough record for a local policy,
as I do in the scenario above. (But personally I wouldn't, since I would
rather not spend my money on a service where I have to guess what their
outgoing email configuration is.)
Forget about the big picture for a second, and just think of SPF as
a way to publish what IPs you send mail from. Makes answering
the question "what IP addresses" easy!
And that's fine for using as a _whitelist_.
Which is exactly what you need to _whitelist_ a non-SRS forwarder.
--
Stuart D. Gathman <stuart(_at_)bmsi(_dot_)com>
Business Management Systems Inc. Phone: 703 591-0911 Fax: 703 591-6154
"Confutatis maledictis, flamis acribus addictis" - background song for
a Microsoft sponsored "Where do you want to go from here?" commercial.