On Mon, 4 May 2009, Matus UHLAR - fantomas wrote:
On 30.04.09 14:24, Charles Gregory wrote:
Proposal: "Personal SPF" - A DNS-based lookup system to allow individual
sender's of e-mail to publish a *personal* SPF record within the context
of their domain's SPF records, that would identify an IP or range of IP's
which they would be 'stating' are the only possible sources of their
mail.
Why 'personal'? Because I run an ISP where user's *may* send their mail
via any number of DSL connections, so I can't publish 'positive' SPF
records for our whole domain.
Do you allow any user to send mail as any user, without need of
authentication on your mailserver? Even if you run their
mailboxes/addresses?
OUR mail server *requires* that a user be connected via our dialups.
And as far as I am aware, the NAS does not permit direct port 25 access
to any other server. 100% secure and traceable. Our problem, which
prevents ordinary SPF, is that some of our users have third-party access
(DSL or cable) and use that company's mail server to send mail, but with
an hwcn.org return address.
The only other possible work-around for this is to enforce a 'hard' SPF
and establish 'pop before SMTP' or 'SMTP auth' protocols, then spam our
membership informing them that use of our server is mandatory. But that
would cause problems, because we don't really know *who* is using third
party servers, and too many of them wouldn't read the notice... :(
But if we had a 'personal' system, then for as many members as we reach
(who pay attention to notices), we could them 'opt-in' to a voluntary "I
only send my mail from here" type of system, and then that would at least
provide *some* address protection/confirmation.
Do they all have static IP addresses or do you imply allow users from
dynamic addresses to send mail directly?
As noted above, we can control our (dynamic) dialups, but not third party
usage. So effectively, anyone, anywhere, can use an hwcn.org return
address. This is something I'd really like to limit to legitimate users
without enforcing use of our mail server only (though I realize this may
be the best long term solution for us).
OF course, my suggestion also hinges on whether there are a sufficient
number of other systems out there in a similar 'position' as us, who would
also benefit from this 'next level' of SPF verification...
- Charles
