>> On 30.04.09 14:24, Charles Gregory wrote: >>> Proposal: "Personal SPF" - A DNS-based lookup system to allow individual >>> sender's of e-mail to publish a *personal* SPF record within the context >>> of their domain's SPF records, that would identify an IP or range of IP's >>> which they would be 'stating' are the only possible sources of their >>> mail. >>> >>> Why 'personal'? Because I run an ISP where user's *may* send their mail >>> via any number of DSL connections, so I can't publish 'positive' SPF >>> records for our whole domain.
> On Mon, 4 May 2009, Matus UHLAR - fantomas wrote: >> Do you allow any user to send mail as any user, without need of >> authentication on your mailserver? Even if you run their >> mailboxes/addresses? On 04.05.09 10:31, Charles Gregory wrote: > OUR mail server *requires* that a user be connected via our dialups. what do you mean? Users connected by your dialups can only be connected to your mail server? I know some ISPs do that and quite agree with that. Especially for dynamically-allocated IPS (some people prefer not to reject such mail and then comply). > And as far as I am aware, the NAS does not permit direct port 25 access > to any other server. The mail can be sent using other ports, 587 is well defined for mail submission and 465 can be user for the same reason (with SSL) as my company does. However submitting mail via other ports should require authentication, and if anyone does not, it's completely their problem. > 100% secure and traceable. Our problem, which > prevents ordinary SPF, is that some of our users have third-party access > (DSL or cable) and use that company's mail server to send mail, but with > an hwcn.org return address. > The only other possible work-around for this is to enforce a 'hard' SPF > and establish 'pop before SMTP' or 'SMTP auth' protocols, then spam our > membership informing them that use of our server is mandatory. But that > would cause problems, because we don't really know *who* is using third > party servers, and too many of them wouldn't read the notice... :( I don't see this a problem, since all those mailboxes are hosted on your machines, it shouldn't be hard to notice all customers that they MUST send mail from domains hosted on your servers using your servers. That's requirement when implementing anti-forgery tools like SPF/DKIM and many hostings enforce that (by publishing SPF/DKIM records and resufing mail from: such domains). >> Do they all have static IP addresses or do you imply allow users from >> dynamic addresses to send mail directly? > > As noted above, we can control our (dynamic) dialups, but not third party > usage. So effectively, anyone, anywhere, can use an hwcn.org return > address. This is something I'd really like to limit to legitimate users > without enforcing use of our mail server only (though I realize this may > be the best long term solution for us). I'm afraid that enforcing your servers for hosted domains is the only way how to use SPF/DKIM. Per-user SPF is imho an overkill > OF course, my suggestion also hinges on whether there are a sufficient > number of other systems out there in a similar 'position' as us, who > would also benefit from this 'next level' of SPF verification... -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. WinError #99999: Out of error messages.
