spf-discuss
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

[spf-discuss] Re: TENBOX/E as an AUTH type

2007-04-04 12:31:59
from [Frank Ellermann] [Permanent Link] 
Michael Deutschmann wrote:


What's a "TENBOX token" ?

 

It's the name of a forwarding relationship, which the forwarder gives to
the recipient, and the recipient gives to his mail admin to be entered
into a whitelist.

 

It has the syntax of an e-mail address (so that the right of a host to
assert a given token may be judged using SPF-like means), but is not
necessarily a deliverable mailbox.

 

In practice, it will often be simplest to use the forwarded-from address
as the TENBOX token, but this doesn't have to be the case.


Okay, let's see if I now understand the complete scheme:

1 - forwarder gets mail from x to user(_at_)fwd(_dot_)example, this user 
arranged
    to forward mails to him to user(_dot_)next(_at_)hop(_dot_)example

2 - one of the mailouts of the forwarder connects with one the MXs of
    hop.example, mumbling something like EHLO mailout-N.fwd.example

3 - The MX of hop.example announces AUTH with a SASL mechanism TENBOX
    (or maybe SPFHELO) as one of its supported SMTP extensions

4 - The forwarder picks AUTH TENBOX (or maybe AUTH SPFHELO)

5 - The MX checks the SPF policy of mailout-N.fwd.example, expecting a
    PASS for the HELO.  If that's the case it accepts the AUTH (end of
    the SASL business, a kind of EXTERNAL mechanism).  Any other SPF
    result kills the AUTH.

6 - The forwarder says MAIL FROM x AUTH=user(_at_)fwd(_dot_)example (or another
    kind of "TENBOX token"), the MX accepts it on probation.

7 - The forwarder says RCPT TO user(_dot_)next(_at_)hop(_dot_)example, and the 
MX is
    supposed to know that this mailbox is willing to accept the given
    "TENBOX token", in other words the MX now skips its SPF MAIL FROM
    check and accepts the RCPT TO.

8 - If the forwarder says RCPT TO shit(_dot_)happens(_at_)hop(_dot_)example the 
MX
    would check the MAIL FROM and likely reject it if it has an SPF
    FAIL policy not permitting the IP(s) of mailout-N.fwd.example

9 - Some time later user(_dot_)next(_at_)hop(_dot_)example will find a mail 
from x via
    fwd.example (= for user(_at_)fwd(_dot_)example) in his inbox.  It might have
    an Received-SPF HELO PASS trace header field.

Is that the idea, or did I miss something ?

Frank


-------
Sender Policy Framework: http://www.openspf.org/
Archives at http://archives.listbox.com/spf-discuss/current/
To unsubscribe, change your address, or temporarily deactivate your 
subscription, 
please go to http://v2.listbox.com/member/?list_id=735
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: [spf-discuss] Re: New Best Practices page, Dotzero
Next by Date:  [spf-discuss] Fwd: spf Sender address rejected, Julian Mehnle
Previous by Thread:  Re: [spf-discuss] Re: TENBOX/E as an AUTH type, Michael Deutschmann
Next by Thread:  Re: [spf-discuss] Re: TENBOX/E as an AUTH type, Michael Deutschmann
Indexes:  [Date] [Thread] [Top] [All Lists]