Re: [PLUG] Re: SPF

Jeff McAdams on 22 Mar 2004 01:27:02 -0000

[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

Re: [PLUG] Re: SPF

From: Jeff McAdams <jeffm@iglou.com>

To: plug@lists.phillylinux.org

Subject: Re: [PLUG] Re: SPF

Date: Sun, 21 Mar 2004 20:26:07 -0500

Reply-to: plug@lists.phillylinux.org

Sender: plug-admin@lists.phillylinux.org

User-agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.6b) Gecko/20031221 Thunderbird/0.4

Walt Mankowski wrote: > You're confusing the envelope sender with the From: address. SPF only > protects the *envelope*. In fact, it doesn't even look at the message > itself, only the envelope. You can set your From: address to anything > you want, so long as an authorized host is given as the "Mail From:" > domain in the SMTP envelope. > If you're on a Comcast cable modem, for instance, it's perfectly legal > to relay through their SMTP server but with a From: address of > iglou.com. The recipient's SMTP server will see the mail as coming > from "jeffm@comcast.net", but that'll be ok because it will be coming > from a Comcast SMTP server which they'll have authorized as being > allowed to send Comcast mail. But that's all just protocol. When the > recipient gets the mail, they'll just see "From: jeffm@iglou.com". OK, not that I confused the two, just that I didn't know that SPF dealt with envelope rather than the header. Regardless, however, you have all of the same issues with the envelope. When I'm at my parents house, I don't have a valid account on the cable provider's ISP (I'm not even sure that *they* do...I assume they do...I think this provider provides email services to their customers, but I really don't know that for sure), so I really couldn't put that in. Unless the point is that its anything at comcast.com (or whatever the domain) and its not checked for a valid account, in which case the check is all but useless. So, again, I'd be back to relaying off of my IgLou ISP (again, doable because they support SMTP AUTH). Like I said, maybe its reasonable to deploy SPF in conjunction with SMTP AUTH...actually, I think that's probably a pretty good idea. I do think that SMTP AUTH should be deployed much more widely than it is. I saw someone (I think it was on the exim mailing list) point out that we had to change our way of doing things when we started dealing with 3rd party relaying, and this is another change...which would be valid, but I don't think SPF is reasonable or feasible to deploy without SMTP AUTH support to allow people to relay off their "home" SMTP server when they're not on the home network. Besides, if SPF only deals with the envelope (which really makes sense, since I assume that check happens at RCPT: time, which would be before the header From: is even received), then it really does nothing to prevent a message from showing up in my mailbox as "From: blah@yahoo.com", which, it seems to me, was the point of the whole exercise in the first place. :/ -- Jeff McAdams "He who laughs last, thinks slowest." -- anonymous
Attachment: signature.asc
Description: OpenPGP digital signature

Follow-Ups:

Re: [PLUG] Re: SPF
From: Walt Mankowski <waltman@pobox.com>

References:

[PLUG] [plug-announce] Ello!
From: turgon@mike-leone.com

SPF (as Re: [PLUG] [plug-announce] Ello!)
From: Malcolm J Harwood <mjhlists-plug@liminalflux.net>

Re: SPF (as Re: [PLUG] [plug-announce] Ello!)
From: Paul <gyoza@comcast.net>

[PLUG] Re: SPF
From: Malcolm J Harwood <mjhlists-plug@liminalflux.net>

Re: [PLUG] Re: SPF
From: Jeff McAdams <jeffm@iglou.com>

Re: [PLUG] Re: SPF
From: Walt Mankowski <waltman@pobox.com>

Prev by Date: Re: [PLUG] Re: SPF

Next by Date: Re: [PLUG] Re: SPF

Previous by thread: Re: [PLUG] Re: SPF

Next by thread: Re: [PLUG] Re: SPF

Index(es):

Date

Thread