Re: [Exim] Thoughts on sender/host verification.

Top Page
Delete this message
Reply to this message
Author: Matthew Byng-Maddick
Date:  
To: exim-users
Subject: Re: [Exim] Thoughts on sender/host verification.
On Wed, May 19, 2004 at 02:12:06AM -0700, Scott Call wrote:
> On Wed, 19 May 2004, Matthew Byng-Maddick wrote:
> > On Wed, May 19, 2004 at 01:36:58AM -0700, Scott Call wrote:
> > This is basically the same as SPF, and has exactly the same set of problems.
> Please expand on this statement, I'm curious about it.


You're trying to verify that the connecting server is allowed to send that
envelope originator domain. This is one of the things that many people on
this list get annoyed about, and is specifically worked around by domainkeys.

If you, for example, send mail to mbm@???, then it will
come back to me at colondot.net. I will see your forwarded mail with the
same envelope information, but with chiark as the connecting IP. I can't
verify the information you're asserting.

> My understanding of SPF is it sets an explicit (static, since it is
> cached as part of DNS) list of hosts allowed to send mail for an entire
> domain.


Yes. Sort of. You can reduce the TTL on this record, in the same way as
you can for your inverse-IP dns schemes. The size of the list is an issue,
but not a very interesting one.

> By changing the lookup to map an IP to an exact email address you get
> increased granularity and you loose the server lock-in factor of SPF and
> Domainkeys.


You've just got a different static "list of hosts" which may be the whole
internet, but then that's achieved with the ?=all or whatever the SPF
syntax is today.

As far as I'm concerned, your system has exactly the same failings as SPF,
and will need the same broken workarounds, while gaining little.

MBM

--
Matthew Byng-Maddick          <mbm@???>           http://colondot.net/
                      (Please use this address to reply)