Michael Deutschmann wrote:
What's a "TENBOX token" ?
It's the name of a forwarding relationship, which the forwarder gives to
the recipient, and the recipient gives to his mail admin to be entered
into a whitelist.
It has the syntax of an e-mail address (so that the right of a host to
assert a given token may be judged using SPF-like means), but is not
necessarily a deliverable mailbox.
In practice, it will often be simplest to use the forwarded-from address
as the TENBOX token, but this doesn't have to be the case.
Okay, let's see if I now understand the complete scheme:
1 - forwarder gets mail from x to user(_at_)fwd(_dot_)example, this user
arranged
to forward mails to him to user(_dot_)next(_at_)hop(_dot_)example
2 - one of the mailouts of the forwarder connects with one the MXs of
hop.example, mumbling something like EHLO mailout-N.fwd.example
3 - The MX of hop.example announces AUTH with a SASL mechanism TENBOX
(or maybe SPFHELO) as one of its supported SMTP extensions
4 - The forwarder picks AUTH TENBOX (or maybe AUTH SPFHELO)
5 - The MX checks the SPF policy of mailout-N.fwd.example, expecting a
PASS for the HELO. If that's the case it accepts the AUTH (end of
the SASL business, a kind of EXTERNAL mechanism). Any other SPF
result kills the AUTH.
6 - The forwarder says MAIL FROM x AUTH=user(_at_)fwd(_dot_)example (or another
kind of "TENBOX token"), the MX accepts it on probation.
7 - The forwarder says RCPT TO user(_dot_)next(_at_)hop(_dot_)example, and the
MX is
supposed to know that this mailbox is willing to accept the given
"TENBOX token", in other words the MX now skips its SPF MAIL FROM
check and accepts the RCPT TO.
8 - If the forwarder says RCPT TO shit(_dot_)happens(_at_)hop(_dot_)example the
MX
would check the MAIL FROM and likely reject it if it has an SPF
FAIL policy not permitting the IP(s) of mailout-N.fwd.example
9 - Some time later user(_dot_)next(_at_)hop(_dot_)example will find a mail
from x via
fwd.example (= for user(_at_)fwd(_dot_)example) in his inbox. It might have
an Received-SPF HELO PASS trace header field.
Is that the idea, or did I miss something ?
Frank
-------
Sender Policy Framework: http://www.openspf.org/
Archives at http://archives.listbox.com/spf-discuss/current/
To unsubscribe, change your address, or temporarily deactivate your
subscription,
please go to http://v2.listbox.com/member/?list_id=735