Mailing List Archive

Hi !!

> Now the question is, how will pobox deal: with sender rewriting or
> something else? And if it's something else, we need to come up with it
> fast.

I agree, email forwarding is widely used and spf itself does not come
with a good solution to deal with this.

The problem is that the solution has to be implemented at the site that
does the email forwarding as spf will break email forwarding done at
that sites. The simplest solution will be to just replace the envelope
sender with a local email address (i.e. postmaster@pobox.com), this
way the postmaster will receive the errors generated when forwarding
(which is both a good and a bad thing). They can also do some sort of
sender rewriting which will allow delivery errors to be redirected to
the original sender but has some security problems. If you do not want
to touch the envelope sender then you could add a xtext argument to
the MAIL FROM smtp command to tell the remote mailer which domain to use
in spf tests (this also has some secuirty concerns and will also break
communication to mailers like postfix that do not fully implement rfc's)

--
Best regards ...

Discoveries are made by not following instructions.

----------------------------------------------------------------
David Saez Padros http://www.ols.es
On-Line Services 2000 S.L. e-mail david@ols.es
Pintor Vayreda 1 telf +34 902 50 29 75
08184 Palau-Solita i Plegamans movil +34 670 35 27 53
----------------------------------------------------------------

-------
Sender Permitted From: http://spf.pobox.com/
Archives at http://archives.listbox.com/spf-discuss/current/
To unsubscribe, change your address, or temporarily deactivate your subscription,
please go to http://v2.listbox.com/member/?listname@©#«Mo\¯HÝÜîU;±¤Ö¤Íµøˆ¡

Meng Weng Wong <mengwong@dumbo.pobox.com> writes:
> The pobox.com customer complains to HP and to Pobox.com saying because
> of SPF he's not getting mail.
>
> Tally:
>
> ISP # of complaints
> --------------------------
> ipns.com 1
> hp.com 1
> pobox.com 2
>
> Scenario 1:
>
> IPNS says, oh, sorry, we'll stop publishing SPF.
> HP says, oh, sorry, we'll stop doing SPF checks.
>
> Pobox says, thanks, guys, how nice of you.
>
> Scenario 2:
>
> IPNS says, sorry, we have to do this to protect our name.
> HP says, sorry, we have to do this because spam sucks.
>
> Pobox says, I guess we just have to deal.
>
> Which scenario is more likely?

There's also scenario 3, where HP whitelists pobox.com, allowing this
kind of forwarding from any IP that forward and back DNS verifies as a
subdomain of pobox.com. We could even create DNS-based whitelists
that reject forwarded mail from a domain unless it shows up in such a
whitelist.

Quick note: I think that SPF also breaks /etc/aliases mailing lists
as well. Are people who have simple lists like this also going to
have to move to something larger with sender-address rewriting?

> Now the question is, how will pobox deal: with sender rewriting or
> something else? And if it's something else, we need to come up with it
> fast.

Would something like a identd for mail work? When a mail is received,
you connect to the DNS-identified server of the sender, submit a
messageid and a sender, and get a response as to whether that message
id was sent by that sender?

--
Ted Cabeen http://www.pobox.com/~secabeen ted@impulse.net
Check Website or Keyserver for PGP/GPG Key BA0349D2 secabeen@pobox.com
"I have taken all knowledge to be my province." -F. Bacon secabeen@cabeen.org
"Human kind cannot bear very much reality."-T.S.Eliot cabeen@netcom.com

-------
Sender Permitted From: http://spf.pobox.com/
Archives at http://archives.listbox.com/spf-discuss/current/
To unsubscribe, change your address, or temporarily deactivate your subscription,
please go to http://v2.listbox.com/member/?listname@©#«Mo\¯HÝÜîU;±¤Ö¤Íµøˆ¡