-----BEGIN PGP SIGNED MESSAGE-----
On Jan 5, 2008 10:40 AM, Mark <admin(_at_)asarian-host(_dot_)net> wrote:
For example, my mail server uses a single HELO name, but I relay mail
for a dozen or so MFROM domains, neither of which ought to be treated
as forwards. Treating those instances as forwarding would patently
I don't understand the difference between a relay and a forward pass,
or why it matters. Why would you relay or forward mail for a domain
that doesn't give you whatever authorization you ask for?
"Relaying" in the sense used by Mark above refers to the _sender_'s setup.
"Forwarding", however, is almost always set up by the _receiver_. Senders
can always account for their sending infrastructure in their SPF records.
Receivers, on the other hand, don't publish SPF records, so they have to
be aware of their forwarding infrastructure when checking senders' SPF
why not just use the HELO name to authenticate an incoming IP
You don't authenticate IP addresses. Those are inherently authentic.
What needs to be authenticated are identities such as HELO or MAIL FROM
that are NOT inherently authentic. If you just want to use one of those
identities for a reputation system, then choosing which one to use is
just a matter of the desired granularity. If however you want to use the
MAIL FROM for sending bounces or similar purposes, then authenticating
HELO doesn't help you.
But it doesn't help you one bit in determining whether relay X is
authorized to send domain Z in MFROM.
Why do we care? If Y is reputable, and it says X is OK, we have what
we need. If Z is forged, we tell Y, and they fire X.
Except that the firing X part doesn't always happen (or it doesn't happen
quickly enough) in reality.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)
-----END PGP SIGNATURE-----
Sender Policy Framework: http://www.openspf.org
RSS Feed: http://v2.listbox.com/member/archive/rss/735/
Modify Your Subscription:
Powered by Listbox: http://www.listbox.com