spf-discuss
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: [spf-discuss] Re: Election issue: forwarding problem

2007-02-04 23:06:07
from [Scott Kitterman] [Permanent Link] 
On Sunday 04 February 2007 18:36, Seth Goodman wrote:

Frank Ellermann wrote on Sunday, February 04, 2007 12:57 PM -0600:



Not necessarily, the famous "enforced submission rights" in RFC 4409
are only an OPTION.  Any MSA "MUST" (in 4409) have some kind of AUTH,
to identify users AUTHorized to use the MSA.  That could be anything
from SMTP-after-POP over RADIUS to SMTP AUTH (2554bis).


This is true, they don't have to do anything except avoid being listed
as an open relay.  They do authentication to restrict access, but don't
restrict submission rights and only act when they receive complaints.
Plenty of large systems still permit sender forgery, ostensibly because
most of their users submit over port 25, which is often blocked by
outside networks when their users travel.  It's ironic that these same
systems also block port 25 for users visiting their network space.  I
hope we're not still discussing this same chicken vs. egg problem ten
years from now.


The tricky part about this is not the technical aspects, but the 
administrative/procedural part.  If you have a legacy userbase of 
thousands/millions how to you go back and validate which mail from identities 
they should be using.  This is a non-trivial problem.

For an MSA that has implemented appropriate technical restrictions, I agree 
that the prospective SPF check is largely redundant.  At controlledmail.com I 
still do it despite having plenty of other protections in part to detect 
errors in customer SPF records (I don't insist they have them, but mail 
doesn't depart may server if there is SPF and it's not a PASS) and in part as 
a redundant check in case something goes wrong (I believe in a belt and 
suspenders approach to security).

The prospective SPF check is an easily implemented check that would prevent 
much forgery coming from large ISPs without the administrative burden of 
validating their entire userbase.  It also gives them an easy answer if 
someone complains about forgery from ther network (publish a proper SPF 
record and it'll stop).

Scott K

-------
Sender Policy Framework: http://www.openspf.org/
Archives at http://archives.listbox.com/spf-discuss/current/
To unsubscribe, change your address, or temporarily deactivate your 
subscription, 
please go to http://v2.listbox.com/member/?list_id=735
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  [spf-discuss] Updated Perl Policy Server for Postfix, Scott Kitterman
Next by Date:  Re: [spf-discuss] Re: Election issue: forwarding problem, Peter Bowyer
Previous by Thread:  RE: [spf-discuss] Re: Election issue: forwarding problem, Seth Goodman
Next by Thread:  Re: [spf-discuss] Re: Election issue: forwarding problem, Peter Bowyer
Indexes:  [Date] [Thread] [Top] [All Lists]