Walt Mankowski on 22 Mar 2004 01:55:03 -0000


[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

Re: [PLUG] Re: SPF 

On Sun, Mar 21, 2004 at 08:26:07PM -0500, Jeff McAdams wrote:
> OK, not that I confused the two, just that I didn't know that SPF dealt
> with envelope rather than the header.  Regardless, however, you have all
> of the same issues with the envelope.
> 
> When I'm at my parents house, I don't have a valid account on the cable
> provider's ISP (I'm not even sure that *they* do...I assume they do...I
> think this provider provides email services to their customers, but I
> really don't know that for sure), so I really couldn't put that in.
> Unless the point is that its anything at comcast.com (or whatever the
> domain) and its not checked for a valid account, in which case the check
> is all but useless.  So, again, I'd be back to relaying off of my IgLou
> ISP (again, doable because they support SMTP AUTH).

SPF isn't designed to look at accounts, only domains.  You're sending
the mail from a comcast.com IP address, so Comcast just has to say
that it's OK for that address to say that it's @comcast.com.

So if you're at your parents's place you can relay through comcast or
iglou.  Either way your envelope sender should be set to the proper
domain, and the receiving SMTP servers should be happy.

> Like I said, maybe its reasonable to deploy SPF in conjunction with SMTP
> AUTH...actually, I think that's probably a pretty good idea.  I do think
> that SMTP AUTH should be deployed much more widely than it is.  I saw
> someone (I think it was on the exim mailing list) point out that we had
> to change our way of doing things when we started dealing with 3rd party
> relaying, and this is another change...which would be valid, but I don't
> think SPF is reasonable or feasible to deploy without SMTP AUTH support
> to allow people to relay off their "home" SMTP server when they're not
> on the home network.
> 
> Besides, if SPF only deals with the envelope (which really makes sense,
> since I assume that check happens at RCPT: time, which would be before
> the header From: is even received), then it really does nothing to
> prevent a message from showing up in my mailbox as "From:
> blah@yahoo.com", which, it seems to me, was the point of the whole
> exercise in the first place.  :/

No.  The whole point is that spammers can't lie about which domains
they're sending their mail from.  And that happens in the envelope,
not the From: address.

Walt

Attachment: signature.asc
Description: Digital signature