http://corp.aol.com/press/ASTA_Statement_of_Intent.pdf
Huh? This doc is a statement of intent that refers to a first draft of a best practices doc which suggests changing port numbers for mail submission so that there will be a clear distinction between MTA and MSA. In the first place it has nothing to do with what is done (or will be done for many years to come) and in the second place a properly configured mail server already makes these distinctions without running on different ports.
I doubt it will be many years. The major ISPs are being much more aggressive than I would have expected with regards to SPF. Getting people to use the designated mail server for their domain is a prerequisite to making SPF work. Hotmail will stop accepting mail which fails the SPF check on October 1st.
Of course I can use my local MX to send mail as someone else. I do it all the time and I've done it with just about every mail server I've ever used. Maybe some day this will change, but what difference will that make? Can't a worm just send mail from [EMAIL PROTECTED] or some other legitimate-looking address? If all mail submissions required authentication worms would just use MAPI to bypass it.
The document I mentioned also recommends setting up rate-limiting on a per-user basis. That would all but eliminate attempts to bypass SPF by using the local MX. Again, I expect that the major ISPs will implement it this year, and support for that will probably be in the major MTA packages soon as well.
I personally don't like a few things about SPF, but the major ISPs are pushing hard for it. I don't see that we MTA operators have much choice but to comply, if we want to continue to exchange mail with the rest of the world.
____________________
BYU Unix Users Group http://uug.byu.edu/ ___________________________________________________________________
List Info: http://uug.byu.edu/cgi-bin/mailman/listinfo/uug-list
