[Exim] Thoughts on sender/host verification.

Páxina inicial
Borrar esta mensaxe
Responder a esta mensaxe
Autor: Scott Call
Data:  
Para: Exim-users
Asunto: [Exim] Thoughts on sender/host verification.
I've been reading all the discussions of SPF and Yahoo's scheme, and I had
a thought.

Like most thoughts I'm sure somebody else has had it, and probably
dismissed it, but I wanted to share it. Feel free to heckle or pick it
apart.

Both SPF and Yahoo's domainkeys limit the sender to a particular server or
set of servers. Since that lock-in is sure to rankle some, I think I may
have a better way.

Basically it would be a dynamic DNS (or LDAP but since DNS is the current
distributed database protocol of choice in the Internet mail I'll stick
with that for my example) lookup to determine if a sender is allowed to
send from an IP/Email Address pair.

The queries could be DNSBL style and could be fed from static sources as
well as things like web-registration or remote mail check logins.

For example mail from "scall@???" coming from 206.58.251.131
would query "131.251.58.206.mfrm.devolution.com" which would return a TXT
record (or multiple records) consisting of valid email addresses. If one
of the TXT records matches the MAIL FROM address it is allowed through.

There would be wildcard records too so 131.251.58.206.mfrm.devolution.com
could have a TXT record of "*" (or something similar) which would indicate
any email address @devolution.com would be allowed to send from that IP.
A negative value would also be allowed (if you needed to explicity deny a
sender).

To test to see if a given domain supports this feature, mfrm.domain.com
would answer with a known value. If it gets a not found then the MTA
would not query further. If it gets the known value, it will then do the
query as listed above, and a not found will be a deny. If a record is
returned then the comparison is run as above.

Honestly this is just a brainstorm and probably has implications and
problems I haven't thought of, but as an opt-in system I think it has
potential.

I thought about having the query be the email address and having A records
returned for allowed senders but that sounds like a dictionary attack
waiting to happen.

I'm very curious what others think (and I have a thick skin after 10 years
in the ISP biz) about this idea.

Thanks
-Scott

--
Scott Call    Router Geek, ATGi, home of $6.95 Prime Rib
I make the world a better place, I boycott Wal-Mart
VoIP incoming: +1 360-382-1814