Should there be an outbound signing policy that says "I sign SOME mail but
third-party signatures are not permitted." It seems like there should be
and that it should be the RECOMMENDED default. To use Hector's terminology,
a RELAXED policy would allow the kind of signature-verified spoofed From
header talked about elsewhere on this list. The purpose of RELAXED (as I
understand) is for people who aren't sure they have all the bases covered.
Until they are, RELAXED is the way to go. But, presumably, even if you
don't know all your outbound signing servers, they would be within your
domain structure (thus of the form <x>.domain.com) so RELAXED would be ok
and "no third-party signing allowed" would also be ok.
Maybe we should add another policy of:
o=? WEAK (signature optional, no third party)
Hector's legend for reference:
o=~ NEUTRAL or RELAXED (signature optional [,No 3rd party?])
o=- STRONG (signature required, 3rd party allowed)
o=! EXCLUSIVE (signature required, no 3rd party)
o=. NEVER (no mail expected)
o=^ USER
--
Arvel