Cool, now we are getting somewhere. David, I take back what I said about
you arguing just for the sake of arguing. It seems clear that you are
working hard on the area you've chosen to tackle, and perhaps it's more
complementary with SPF than I thought at first.
If someone were to come up with a DNS server that knows how to distinguish
your SRS0+hash, via some exists: query, do you think you would be willing
to publish an SPF record to test it with? Basically the exists: query
would pass back the full local part and your DNS server would provide a
yes-or-no answer, which is similar to what CBV does, only CBV wouldn't be
required at the recipient. (You would probably want to publish using ?all
until you are confident that the trick DNS server is working.)
If that could be made to work, that might be a much better solution to the
forwarding problem than the one I described earlier. And it could be done
proactively by the sender without depending on forwarders to do anything.
Thanks for the info.
gregc
--David Woodhouse <dwmw2(_at_)infradead(_dot_)org> wrote:
On Tue, 2005-07-05 at 10:39 -0500, wayne wrote:
In particular, what is the format of the local part that you using?
Mine look something like this:
SRS0+9e825d3f2b85d9154293+681+infradead(_dot_)org+dwmw2(_at_)pentafluge(_dot_)srs(_dot_)infrade
ad.org
Have you run into systems that have rejected email because it has
"invalid characters" in the local part? Or because the local part is
"too long"?
No. The above has a 50-character localpart. Even with longer domain
names and longer original localparts, it doesn't exceed 64. If it did, I
could vastly reduce the size of the hash. It's based on a _very_ old SRS
format.
Because this isn't actually SRS, it doesn't get applied multiple times,
I get to tune it for my own local addresses and be sure that it fits.
Obviously, if there are hosts out there which make the mistake of
performing SRS, they may exceed the 64-char limit. But that's their
problem.
Do you use ABBS/SES/BATV for blocking bogus bounces?
Yes.
Do you use ABBS/SES/BATV in your SPF record with the stub DNS server?
No.
The reason why I'm asking for details is because I want to learn about
actual deployment experience and not just the concept.
You can probably ignore the localpart length; it's largely not an
issue.
The more interesting problems are the interaction with
challenge-response systems which may want you to re-validate your
address with a fresh challenge each day (if you didn't have the upstream
pull the plug by report it as mail abuse on the first day, that is), and
the occasional mailing list (mostly ezmlm) which allows only subscribers
to post and does so by filtering on the reverse-path instead of the
From: header.
These can be classified as 'problem recipients' and it's not
particularly difficult in theory to arrange to use a fixed address for
each, rather than the normal timestamped addresses. Since they are few
and far between, it isn't beyond the realms of feasibility to let users
add them to a local database for themselves. It's a bit of a pain, but
it's a lot more feasible than, for example, tracking the IP addresses of
forwarders.
I haven't actually bothered to implement the 'problem recipients' thing
for my own setup yet though, because it hasn't been enough of an issue
in practice. The only ezmlm list I found it on was the ses-devel list,
and I refused to work around it _only_ for that list, because it was too
ironic :) And none of the users who have opted into SES have reported
it as a problem.
There's also some misconfigured autoresponders to consider, as I pointed
out in my mail to this list last February. I don't consider it much of a
loss; some might. You actually get to _keep_ the autoresponses which
violate common sense _twice_ by both using the From: address from the
headers of the incoming mail instead of the reverse-path, and by sending
non-bounce responses instead of using the empty sender.
--
dwmw2
-------
Sender Policy Framework: http://spf.pobox.com/
Archives at http://archives.listbox.com/spf-discuss/current/
To unsubscribe, change your address, or temporarily deactivate your
subscription, please go to
http://v2.listbox.com/member/?listname=spf-discuss(_at_)v2(_dot_)listbox(_dot_)com
--
Greg Connor <gconnor(_at_)nekodojo(_dot_)org>