[Asrg] mail security
Alessandro Vesely
vesely at tana.it
Fri Jan 23 11:02:10 PST 2009
John Leslie wrote:
> Ian Eiloart <iane at sussex.ac.uk> wrote:
>> --On 21 January 2009 12:27:56 -0500 John Leslie <john at jlc.net> wrote:
>>
>>> However, there are a limited number of ways that forwarding might be
>>> shown in the trace headers, so it should be practical to determine that
>>> a forwarding is documented (though possibly forged).
>>>
>>> We then have a quite different situation from what raw SPF processing
>>> would indicate. Thus I claim the rules deserve to be relaxed (without
>>> going into detail how).
>
> The point I was attempting to make is that SPF records _can_ accurately
> reflect sender policy, while SPF processing will incorrectly indicate a
> violation of it.
That's quite correct. I say "quite" because SPF provides for various
levels of results, without mandating any particular behavior. However,
the quickest behavior, reject on fail, does not allow to examine the
message headers.
> As things stand in SPF, folks end up publishing less-correct records
> in an attempt to tune to a more satisfactory result.
Yup. With rules like "?ip4:80.0.0.0/5" one can succinctly "neutralize"
many IPv4 addresses, possibly excluding forwarders located elsewhere.
For geographically characterized sites, half of the world would still
be much less than all of it.
> [...]
> But please understand that strict SPF processing hasn't yet stopped
> forwarding MTAs from documenting the forwarding according to spec
> rather than rewriting addresses the way you want them to. Do you really
> believe this will change?
I hope it will. Headers that document forwarding are unmanageable.
Some include full explanations in the body, but most don't. Wild
forwarding breaks more than SPF: it breaks most countries' privacy
laws by not letting a recipient know where an alias was expanded from.
More mumblings at http://fixforwarding.org/wiki/privacy_laws
More information about the Asrg
mailing list