On Mon, 2006-06-12 at 11:32 +0300, Matti Aarnio wrote:
> SPF is application level version of this type of source sanity
> enforcement, and all that I intend to do is to publish that TXT
> entry for VGER.
Precisely _because_ SPF is at the application level, it doesn't make
sense. In the real world, you just can't assume that mail will arrived
_directly_ from the machine which originated it.
Think about what happens if you do your 'source IP sanity enforcement'
at the wrong level... if you insist that the MAC address on the Ethernet
packet you receive must match a MAC address published in DNS for that
host. If you do that, you _will_ break things because the Internet isn't
a single big Ethernet switch -- stuff gets _routed_. The same principle
applies to mail, and that's the problem with SPF.
You can make restrictions about which hosts may use your domain in HELO
(http://mipassoc.org/csv/), but linking domain names used in MAIL FROM:
to certain IP addresses is not compatible with current practice.
But let's back up a moment... precisely what is it that you think you
gain by publishing an SPF record for vger? There are almost certainly
better ways to achieve that goal, whatever it is.
You can address forgery _without_ having to break SMTP. I'd much rather
see vger doing DomainKeys/IIM and BATV.
I accept that you need to break eggs to make an omelette. But you don't
have to run amok in the kitchen, and smash the frying pan too.
--
dwmw2
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to [email protected]
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/
[Index of Archives]
[Kernel Newbies]
[Netfilter]
[Bugtraq]
[Photo]
[Stuff]
[Gimp]
[Yosemite News]
[MIPS Linux]
[ARM Linux]
[Linux Security]
[Linux RAID]
[Video 4 Linux]
[Linux for the blind]
[Linux Resources]