Re: [Exim] SMTP+SPF

Página superior
Eliminar este mensaje
Responder a este mensaje
Autor: Matthew Byng-Maddick
Fecha:  
A: exim-users
Asunto: Re: [Exim] SMTP+SPF
On Thu, Jul 31, 2003 at 10:35:31AM +0100, Konrad Michels wrote:
> Had a bit of a read through the SPF site, and an intial reading seems to
> indicate a clever idea, I just wonder a bit about the implimentation
> philosophy. Maybe I'm just reading it wrong, but from the looks of
> things, if, like me, you're running exim on your laptop, and have
> multiple e-mail accounts all over the show from which you collect mail
> via POP3 or IMAP, you have a problem.


I don't think that's the problem with the philosophy. My problem with it
is that I don't think it scales well. In typical fashion, the author
appears to have considered something that he can maintain without much
trouble with no thought to how it scales for large multiple hosted
organisations. Also, it doesn't scale well for any organisation who respond
to load by bringing other machines online. There appears to be no provision
for killing the SPF querier by doing recursive SPFincludes, with no actual
data. As far as I can tell, David Saez's ACL falls to this attack. This is
also by no means the first time that something like this has been mooted,
and every time, it's rejected, mainly because of the enormous amount of work
it requires (both to set up and to maintain).

Personally I'd avoid it like the plague until it's on the Standards Track.
(ie. it's something more than an I-D).

> I have, for example, an domain, mail for which is handled by my machine
> at home at the end of a cable connection which has a certain IP
> address. Not being an ISP, I don't have my own DNS server, and make use
> of EasyDNS for this domain. When I'm at work, either in the UK office
> or in the Swiss office, I frequently send mail with reply-to etc
> addresses set to my home domain. I also POP to that machine at home,
> collect mail, and reply to it, which then automagically sets my reply-to
> address as my home domain.


The answer is to use an Authenticated SMTP relay. As that document says.
You probably should be doing this anyway. What if the end mailserver
doesn't accept your message straight away? (I defer on all connections
for IP addresses I've not seen before).

> This would mean that I would have to get EasyDNS to publish SPF
> information for my home domain which included all the possible IP
> addresses from which mail from this domain could emanate? What happens
> if I'm on business in, say, Copenhagen, making use of the Hotel's
> internet connection, which means that mail will not be emanating from
> the IP addresses listed in the SPF information?


See above.

> I accept that this is a fairly isolated case, as not everyone roams with
> a linux laptop, but I can see a similar problem emerging for contractors
> working in different offices, using different mail addresses for
> different aspects of their daily activity.


If you are trying to mail direct-to-MX, you should be able to use a
sensible retry strategy, which means that you should not be on and off
a network.

> Or maybe I've just completely misunderstood the whole thing . . .


I'd claim you've misunderstood how SMTP is supposed to work.

MBM

--
Matthew Byng-Maddick         <mbm@???>           http://colondot.net/