ietf-asrg
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: [Asrg] Domain-Authorized SMTP Mail

2003-03-18 12:36:19
from [Valdis . Kletnieks] [Permanent Link] 
On Tue, 18 Mar 2003 14:18:19 EST, David Green said:


The vt.edu domain certainly only has a few authorized outgoing smtp
relays. I don't think they handle enough mail to justify a server farm
of 200 servers just for their email.


The question is whether AOL.COM has few enough authorized outbound relays
that it fits in a single 512-byte UDP DNS query.  I know they can't fit
all their inbounds into one packet, so I suspect the outbounds don't either.


And it's even more borked for mailing lists, because the From: and To:
don't have much to do with what's going on.  The mail server for couchpot=

ato.net

would be looking at this message, and complaining because the ietf.org
mail server isn't an MT for the vt.edu in the From: field.


Thats why the asrg(_at_)ietf(_dot_)org address would have to be used for
authorization.


Hey, what do you know... asrg(_at_)ietf(_dot_)org isn't in the From: - in fact, 
if it's
bcc:ed it may not appear in the RFC822 headers *AT ALL*.


The copy from you to me would be authorized as coming from you. The copy
from you to the mailing list would be authorized by Majordomo to be
coming from you.


Majordomo may not be able to authorize it - see my discussion about MX
handling, which also matters in case of firewalls and mail servers in the DMZ.


When the mailing list resends the message, the message
would be checked by each recipient's MX as coming from 
asrg(_at_)ietf(_dot_)org(_dot_) As
you see, the From: starts to have real meaning.



If my MX trusted mail.mx-are-us.com, it would not strip the
Authorized-By header.


But that's not what your draft said.  It said it *MAY* be configured to
do so.  MAY means its *optional*, not "you have to do it for it to work
the way you expect" - that's what MUST is for.


The point is you need to tighten up the language about what to do if
accepting relayed mail.  The current language:
=20

   SMTP servers SHOULD remove any Authorized-By SMTP headers of
   incoming mail. They MAY be configurable to preserve Authorized-By
   headers on incoming mail from a set of trusted servers.

=20
is broken.  For it to be workable, you need to make it a 'MUST preserve'
for the case of mail coming from your MX'es.


Your MX's would be trusted servers.


Then fix your MAY.

Attachment: pgpakITOR0aeK.pgp
Description: PGP signature

[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: [Asrg] Thoughts so far, Chris Lewis
Next by Date:  Re: [Asrg] Giving Public Notice ...., Chris Lewis
Previous by Thread:  Re: [Asrg] Domain-Authorized SMTP Mail, David Green
Next by Thread:  Re: [Asrg] Domain-Authorized SMTP Mail, Chris Lewis
Indexes:  [Date] [Thread] [Top] [All Lists]