On Mon, 28 Mar 2011 at 03:12 +0100, Jeff Lasman wrote
>
>
> I'd still like to find out if others are doing this or not. Will anyone else
> respond?
>
Well we are a university, not an ISP, so parameters are very different but
for what it's worth :-
We only require the sender address to verify. For addresses on our domains
that means a valid local part, but if people use addresses on other
domains then it only requires the domain to verify - we don't use sender
callouts (statement of fact, I'm not trying to restart that thread!).
Yes, this means people can spoof other addresses at our domains (or
elsewhere) but this has not yet been found to be a problem (we can of
course trace actual sender through authentication details) so I have seen
no reason to add an extra layer of complexity by keeping a lookup table
for authenticated-id -> sender_address.
The main purpose of this setup is to catch mistyped email addresses in
MUAs rather than anti forgery. The latter is stopped by policy rather than
technical methods.
I should also point out that mail storage at this site is MS Exchange so
primary mail access is via Outlook / webmail and only users who choose to
use another MUA will be using the MSA so there is actually fairly low use.
Jonathan
--
------------------------------------------------------------------------------
J. R. Haynes
Senior Network Specialist
IT Department, e-mail: J.Haynes@???
Bld 63,
Cranfield University, Tel: Bedford (01234) 754205
Wharley End, Bedford (01234) 750111 Extn 4205
Cranfield, Fax: Bedford (01234) 751814
Beds.,
MK43 0AL.
