[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Benefits/costs of authorizing different identities

To: ietf-mxcomp@xxxxxxx
Subject: Re: Benefits/costs of authorizing different identities
From: Greg Connor <gconnor@xxxxxxxxxxxx>
Date: Sat, 03 Apr 2004 03:25:52 -0800
In-reply-to: <>
List-archive: <http://www.imc.org/ietf-mxcomp/mail-archive/>
List-id: <ietf-mxcomp.imc.org>
List-unsubscribe: <mailto:ietf-mxcomp-request@imc.org?body=unsubscribe>
References: <>
Sender: owner-ietf-mxcomp@xxxxxxxxxxxx

On Fri, Apr 02, 2004 at 07:00:57PM -0800, John Gardiner Myers wrote:


They are unauthorized per the explicit policy advertisement made by the
domain holder.  The MTA sending mail with the identity is not on that
domain's list of authorized servers.

I agree with Dave that the term "desired forgery" is contradictory and confuses the meaning. "Forgery" is one type of inappropriate/bad behavior that is (mostly) mitigated by an LMAP system. Other ways that the real, authorized sender might legitimately send mail today, but would be disallowed by LMAP, shouldn't be called forgery. I don't have a "best" suggestion but here are a few... feel free to add more: unexpected source remote MTA unsupported relay, third-party relay out-of-policy

--"Mark C. Langston" <mark@xxxxxxxxxxxx> wrote:

The point I'm getting at in that statement is this:  The choice to add
TXT (or other less-common) RR's to a zone file may be as likely to be
that of the hosting service than the domain holder.  Likewise, the
content of those RR's may well be decided by the hosting service (though
I hold up EasyDNS's recent introduction of SPF TXT RR's as a shining
counter-example:  http://support.easydns.com/tutorials/spf/ ).

That reminds me, there was another point I wanted to mention. Usually we think of LMAP as "a policy that applies to all messages from a certain domain". But, it is actually possible with SPF (using macros) to assert a different policy for each individual user as well. Check out the following example:

example.com. IN TXT "v=spf1 a mx ptr include:%{l}.user-spf.example.com -all" gconnor.user-spf.example.com. IN TXT "v=spf1 ptr:nekodojo.org" mark.user-spf.example.com. IN TXT "v=spf1 ptr:bitshift.org" postmaster.user-spf.example.com. IN TXT "v=spf1 -all" *.user-spf.example.com. IN TXT "v=spf1 -all"

What does this mean?

1. A little flexibility can be a good thing. It's possible that people will find uses for the technology that nobody on the original team would have thought of.

2. It's possible to design a system where users can type in their own overrides - if an ISP or corporate megalith has enough users, they might want to provide per-user settings. This permits users more flexibility to send, and as a bonus it can also make it harder for one user to forge the name of another user at the same domain.

--
Greg Connor <gconnor@xxxxxxxxxxxx>

References:
- Re: Benefits/costs of authorizing different identities
  - From: Mark C. Langston

Prev by Date: Re: Benefits/costs of authorizing different identities
Previous by thread: Re: Benefits/costs of authorizing different identities
Next by thread: RE: plan for april 5th xmpp conference... (progress!)
Index(es):
- Date
- Thread