On Mon, 11 Dec 2006, Matthias Keller wrote: > John D. Hardin wrote: > > On Mon, 11 Dec 2006, Matthias Keller wrote: > > > >> And forcing users to use their ISP's mail server efficively defeats SPF > > > > How so? > > > > I'm assuming a home business owner owns and uses their own domain and > > has the ability to set up SPF records for that domain. If you are > > routing your outbound mail via your ISP's MTAs, just grab your ISP's > > SPF record and use it for your domain. If your ISP is doing SPF checks > > you might need to talk to their MTA via SMTP AUTH to bypass that test. > > a) an average user has no knowledge of SPF and cannot setup such a > record correctly
If they can't set up the SPF record initially, then how does routing their email via their ISP defeat SPF? Bringing up that concern implies that the admin of this hypothetical mail system *is* able to set up an SPF record that mail routed via the ISP would break. > b) most providers (at least around here) dont allow users to freely > modify their dns zones So host your DNS somewhere that does allow control. DNS hosting is seperable from ISP connectivity, and again, we're assuming that the user is able to set up SPF in the first place. > c) users using laptops might be using many different providers - the one > at home, the one in the office, one on the road, an occasional wlan one > - you just cant include all these provider's MTAs that you might ever be > using ...how the heck would you set up SPF to cover a roaming mail source in the first place?? Dynamically-updating SPF records with short TTL? > I agree for (some) businesses this might be doable as long as their guys > aren't travelling or home working too much but it's impossible for > privately owned domains or when the users use their emails from all > their private ISPs at home I'm sorry, I assumed your original hypothetical was for a one- or two-person home-based business, not multiple roaming users having multiple ISPs. For the case where all of the users are at the same ISP, it *is* doable assuming the ISP will relay messages submitted via SMTP AUTH without performing SPF checks or verification that the FROM address is in a domain the ISP controls. Of course, SMTP AUTH + promiscuous relay does not prevent spamming with forged sender addresses. It might make it easier to track down the p0wned box, but it won't block the mail based on the domains in the envelope. -- John Hardin KA7OHZ http://www.impsec.org/~jhardin/ [EMAIL PROTECTED] FALaholic #11174 pgpk -a [EMAIL PROTECTED] key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79 ----------------------------------------------------------------------- The fetters imposed on liberty at home have ever been forged out of the weapons provided for defense against real, pretended, or imaginary dangers from abroad. -- James Madison, 1799 ----------------------------------------------------------------------- 4 days until Bill of Rights day