Re: [Exim] SMTP+SPF

Top Page
Delete this message
Reply to this message
Author: David Saez
Date:  
To: James P. Roberts
CC: exim-users
Subject: Re: [Exim] SMTP+SPF
Hi !!

> > No idea, at the end you only have to publish one ip for every outgoing
> > smtp server you have, publishing all your ip addresses is not a good
> > idea.
>
> Nope, as I read it, I would be required to publish data for EVERY IP I
> CONTROL, even if just to specify "deny" for all but one or two of them.
> Perhaps the draft needs tweaking?


You need to publish one allow record for every ip that you authorize to
send mail for your domain and ONE wilcard deny record that deny ANY ip
on internet (not all of your ip's):

80.226.100.212.in-addr._smtp_client.mydomain.com TXT "spf=allow"
             *.in-addr._smtp_client.mydomain.com TXT "spf=deny"


> I am talking about the time required to develop/test/implement/maintain
> any filtering based on SPF data


SpamAssassin 2.70 will have SPF support, so you will spent no time
developing, testing or implementing it. This is the same for MTA's that
will have support for it. Maintaining it is just as simple as ensuring
you SPF dns published data is updated, which in most cases will take
no time.

> made particularly difficult in the near term
> by the non-global, time-varying, and unpredicatable nature of SPF data
> availability.


Take a look at this:

http://news.com.com/2100-1038_3-5058610.html?tag=fd_lede1_hed

looks like the big ones are trying to solve the very same problem, this
means that when some solution to that problem has been proposed (spf,
dmp.rmx, teos,...) pass the draf status and becomes a RFC you will have
enough data to block a great amount of spam,viruses and forged emails.

> But Hotmail has NOT started using it, have they? And they are not likely to
> before the SPF concept has been accepted as an approved RFC.


right, spf is just a draft, from my point of view it needs to solve some
problems in a better way, but the idea looks good, it's not perfect but
could be easly implemented. Nevertheless, at the end some solution will
become a RFC and enough data will start to become available.

> > did you received anytime LOTS of bounces due to somebody using your
> > email address ? did you received LOTS of wirus warnings due to some
> > virus using your email address ?
>
> Nope. Although I understand the problem for larger outfits.


We are a very little company and we are rejecting almost 3000 messages a day
addresses to only one email address for a total of about 25000 rejections
per day, the problem is not only for large outfits it also could hit you.

> Ah, there's the rub, eh? Just how easy is it, right now? Even though Exim
> has nifty ACL's and such, I would still have to spend time to establish
> policies for exactly how to use SPF data,translate those policies into
> software rules


when a ready to use solution will be available you don't need to stablish
complex policies, spf will tell you when to reject or accept a message, and
the best thing about it is that it will be the senders domain administrator
who will tell you from which hosts you can receive his email.

> and those policies would necessarily have to change over time
> during the expansion phase of SPF acceptance.


no need to change.

> I would be signing on for an
> unknown amount of maintenance. eeek!


well, it's your job, you are suposed to be paid for doing it and you are
suposed to do your best to protect your users (just in the case it really
take you some considerably amount of time, but that's not the case)

> Sure it is. I'm not saying it's a bad idea, I am simply pointing out how
> difficult it will be to get to a useful level of implementation.


well, when aol or microsoft or some big provider say 'we will only accept
emails from spf protected systems' it will be quickly implemented. Do you
belive this will never happen ? Just to ilustrate this, now AOL just refuses
any email comming from a server without proper dns reverse resolution. This
will do more for the 'reverse dns cause' that lots of small providers that
are doing the same for years.

> Oh, I agree that something is probably going to happen. I am not convinced
> (yet) it will be SPF.


me too. maybe teos wins as it could give some economical bennefit to the
companies that issue certificates, but i prefer dmp or spf.

> Why publish extra data that few will use in a format
> that is likely to change before the community agrees on the solution... ? At
> the very least, I need to wait until the final RFC is approved.


True, i'm not trying to convince anybody to adopt or publish spf right now.
I just write an exim acl and publish spf data for my domains to start testing
spf, I take it like an exercise and give anybody else the choice to try it.

> It costs more than zero, and saves me ZERO until it is widely accepted. I am
> not saying I would never do it. I am saying, I am not going to do it *now*.


nobody is asking to do it right now, i'm just giving some reasons to adopt
spf (i should add - when it becomes a standard). In the meantime you could do
whatever you like.

--
Best regards ...

You go to heaven...God sneezes... What do you say?

----------------------------------------------------------------
   David Saez Padros                http://www.ols.es
   On-Line Services 2000 S.L.       e-mail  david@???
   Pintor Vayreda 1                 telf    +34 902 50 29 75
   08184 Palau-Solita i Plegamans   movil   +34 670 35 27 53
----------------------------------------------------------------