On 2004-07-29 15:40:56 +0100, Tony Finch wrote: > Bill Cole <grsa at billmail.scconsult.com> wrote: > > > > The original SPF/RMX/DRIP proposals broke forwarders, the mess that > > MS has proposed and Yahoo's Domain Keys do not. SPF has a workaround > > for forwarders. > > Incorrect. Sender-ID breaks forwarders just as much as SPF does, No, because it doesn't inspect the envelope but the headers. By looking for headers typically inserted by forwarders it avoids some of the breakage of SPF. Of course not all forwarders insert such headers, so this won't work in all cases (and I wouldn't try to guess at the percentage). OTOH, for this reason Sender-ID is much more expensive than SPF. > and it requires all forwarders to implement a change which is in > contradiction to RFC 2822 You mean "must not change or inspect headers except insert a Received header"? That's true, but many MTAs already break that requirement, so practically, that's not much of a change. > The alternative to changing all fowarders is a forwarder whitelisting > system which eliminates what little security designated sender schemes > alledgedly provide. Depends on the forwarder. If the forwarder also filters on a designated sender scheme, it can be whitelisted without reducing security. If it doesn't, you could still use the Received header inserted by the forwarder instead of the forwarder's IP address (for sender-id you have to inspect the headers anyway, so that's only a small additional expense). hp -- _ | Peter J. Holzer | Je höher der Norden, desto weniger wird |_|_) | Sysadmin WSR | überhaupt gesprochen, also auch kein Dialekt. | | | hjp at hjp.at | Hallig Gröde ist fast gänzlich dialektfrei. __/ | http://www.hjp.at/ | -- Hannes Petersen in desd
Attachment:
pgpjLTBfMVIaq.pgp
Description: PGP signature
_______________________________________________ Asrg mailing list Asrg at ietf.org https://www1.ietf.org/mailman/listinfo/asrg