At 16:22 11/05/2002 -0500, Eric A. Hall wrote:
which I'm not sure about). There is certainly some scale involved here but
the core problem of identity within a domain has already been solved by
SMTP AUTH. If I could refuse mail from user(_at_)hotmail(_dot_)com unless it
came
from a server authorized to transfer mail on behalf of hotmail.com -- and
if hotmail.com enforced authentication (which they do, via the login page)
-- then I can be pretty sure that user(_at_)hotmail(_dot_)com really sent the
mail.
That's an interesting point.
The difficult bits, at the moment, are: (1) knowing that the message has
come from a server authorized to transfer mail on behalf of hotmail.com,
and (2) if it's gone through multi-hop servers, checking that it's not been
faked in that part of the process.
Problem (1) could be solved by having an SMTP extension where the MX
servers for a domain can be asked if a particular IP address is allowed to
send mail on behalf of that domain.
This would solve the problem where the sender (eg Hotmail) sends directly
to your own SMTP server. Your server could then do an MX lookup on the MAIL
FROM address, and send a query back to that server to ask if the sending
mail server is allowed to send mail from that address.
Problem (2) is more tricky, but it would only be needed where mail from the
sender's domain doesn't come directly to you, but goes through other
(untrusted) relays in between. The only solution I can come up with, off
the top of my head, is a 'brute force' one - each SMTP server could
remember ALL the message-IDs of messages it has sent in the past, say, 5
days, then when you receive a message, you could do an MX lookup and ask
the source server 'did you send message-ID xxxx'. I'm not really happy with
this solution, but I don't really know if there is a problem here in the
first place. (How often do people receive mail which comes to them via an
untrusted relay not run by the sending domain, or the sending domain's ISP)
Paul VPOP3 - Internet Email Server/Gateway
paul(_at_)pscs(_dot_)co(_dot_)uk http://www.pscs.co.uk/