On Tue, Apr 06, 2004 at 03:40:58PM -0700, Harry Katz wrote:
Regarding your caveat below, this is a good point. However, there are
also lots of clients connected directly to their ISPs who do have such
access. So if possible we shouldn't preclude verification from the MUA,
though I readily agree the MTA is the best place to do this.
In any case, my original point was simply that the end user needs to be
informed in cases where we validate something other than the From line.
I did not mean to imply that the MUA must perform the validation in
The problem is how to communicate this to the MUA.
If you reject messages that fail the check at SMTP level it is not
too big a problem, but if you forward it to the MUA, simply adding a
header will /surely/ not be sufficient. This will open the door to
simply adding this in the original email. To protect against this
you need complicated workarounds for MTAs to filter this on incoming
connections, but of course not all MTAs may do this, as internal
forwarders and gateways must keep the information. This doesn't look
rather trustworthy to me, so if we don't decide for "reject" I am
against MTA checks.
SpaceNet AG | Joseph-Dollinger-Bogen 14 | Fon: +49 (89) 32356-0
Research & Development | D-80807 Muenchen | Fax: +49 (89) 32356-299
"The security, stability and reliability of a computer system is reciprocally
proportional to the amount of vacuity between the ears of the admin"