RE: [exim] support for domainkeys

Top Page
Delete this message
Reply to this message
Author: David Woodhouse
Date:  
To: David Brodbeck
CC: exim-users
Subject: RE: [exim] support for domainkeys
On Thu, 2004-09-23 at 12:32 -0400, David Brodbeck wrote:
> It's even less effective than SPF; at least with SPF I can't
> forge a domain that has an SPF record that excludes Comcast's servers.


Wrong. You just use SRS to do it -- so instead of sending
MAIL FROM:<victim@???> you'd send instead something like
MAIL FROM:<SRS0+xx+yy+abused.net+victim@???>

Either way, the recipient needs to know how much they trust the Comcast
mail server by looking it up in a whitelist or blacklist -- some kind of
'trust database'. It doesn't actually _matter_ what handle they refer to
it by -- whether it's the domain name "comcast.net" or whether it's the
ident of the TLS cert which Comcast generated for themselves.

In fact you could even continue to use the domain name, if there were
some SPF-like scheme which published the details of TLS certs, instead
of IP addresses which are 'authorised', and if they were checked against
the HELO greeting instead of the MAIL FROM: address.

We are getting very off-topic though. MARID is dead, and let's not mourn
it for too long.

--
dwmw2