I'm a member of the ASRG's Filtering sub-group, and we are considering
implementing a header that references the timestamp recorded in the Received
headers of a message. We want to use knowledge of the exact value of this
timestamp to authenticate that a filtering header was added after a
particular Received header. However, it has come to our attention that
RFC2822 permits the omission of seconds from this timestamp [1]. This
presents a slight, but not discountable, forgery risk.
Therefore, I'd like to ask if anyone here knows of any SMTP server
implementation that does not include seconds in the trace field.
Please forward this to any other person or list who would be (more?)
qualified to answer. I will collect and report any affirmative responses
here and in the filtering group.
Thank you for your time.
Sincerely,
Philip Miller
[1] http://asg.web.cmu.edu/rfc/rfc2822.html#sec-3.3
The relevant BNF line is:
time-of-day = hour ":" minute [ ":" second ]