Frank Ellermann wrote on Sunday, February 04, 2007 12:57 PM -0600:
Seth Goodman wrote:
Frank Ellermann wrote:
MSAs could use this trick, if they wish to identify plausible (no
FAIL) envelope senders.
Sure, but the MSA needs to have a list of acceptable return-path
domains, and preferably a list of mailboxes with their required
authentication credentials, regardless of what external domain
owners publish.
Not necessarily, the famous "enforced submission rights" in RFC 4409
are only an OPTION. Any MSA "MUST" (in 4409) have some kind of AUTH,
to identify users AUTHorized to use the MSA. That could be anything
from SMTP-after-POP over RADIUS to SMTP AUTH (2554bis).
This is true, they don't have to do anything except avoid being listed
as an open relay. They do authentication to restrict access, but don't
restrict submission rights and only act when they receive complaints.
Plenty of large systems still permit sender forgery, ostensibly because
most of their users submit over port 25, which is often blocked by
outside networks when their users travel. It's ironic that these same
systems also block port 25 for users visiting their network space. I
hope we're not still discussing this same chicken vs. egg problem ten
years from now.
Which Return-Path AUTHorized users are permitted to use can be a very
different question. SPF PASS is a possible solution to figure it out.
Probably not good enough for op=auth, for that you'd really need a
list. Or anything with the same effect, a big ISP could just demand
that users have to use the MAIL
FROM:<their(_dot_)mailbox(_at_)this(_dot_)isp(_dot_)example>
Once they move their mail submission off port 25, it's a small step to
limit address usage. This change has gone much slower than I would have
guessed. The increased usage of web mail has removed some of the
impetus for this.
Since you need that list anyway to keep you from open relaying, SPF
checking is redundant for this purpose.
IMO it's s/Since/If/
Agreed, many large systems prevent open relaying by authenticating users
without enforcing submission rights. Better to not confuse what is with
what should be.
Still, I don't see what advantage SPF provides over an ACL to control
the addresses your own users claim. Checking SPF on outbound would
inform you of possible rejections at the recipient, which will hopefully
become more important.
--
Seth Goodman
-------
Sender Policy Framework: http://www.openspf.org/
Archives at http://archives.listbox.com/spf-discuss/current/
To unsubscribe, change your address, or temporarily deactivate your
subscription,
please go to http://v2.listbox.com/member/?list_id=735