From: Paul Judge <paul(_dot_)judge(_at_)ciphertrust(_dot_)com>
...
Vernon, can you post Vixie's suggestions that you referring to so that
everyone is aware of them. Can you also explain in more detail the
difference between those and RMX to show why you say that it is simpler.
...
Paul Vixie's suggestion is differs from the common and old mechanism
of rejecting mail with Mail_From values of free providers when the
SMTP client is not an MTA of the free provider. RMX and Paul's notion
allow the owner of a sender domain to authorize not only SMTP clients
with names related to the sender domain but also SMTP clients in a
small number of additional domain names to also send mail nominally
from the sender domain. (The number is small because of the limited
size of DNS/UDP packets.)
I searched for but failed to find Paul Vixie's short mail message
describing the idea. My recollection and perhaps slight elaboration
of it is:
To determine if an STMP client is authorized to send mail for the
sender domain name in the envelope Mail_From field
1. an SMTP server first compares the reverse DNS name of the SMTP
client with the sender domain. If they match by the usual rules
(e.g. user(_at_)example(_dot_)com matches mailhost.example.com), then the
STMP
client is authorized. To prevent forgery, the usual reverse-forward
DNS check is made.
2. Otherwise the SMTP server searches for MX RRs for the sender
domain. The IP address of the SMTP client is then compared to the
list of IP address eventually obtained for the names in the MX RRs.
(As usual and described in RFC 2821, if no MX RRs are found, the
IP address of A RRs, if any, are used.) If the SMTP client's IP
address is a member of this list, then the SMTP client is authorized.
3. Otherwise the SMTP server checks the list of MX RRs for a record
with the preference 65391. If such a record exists, the SMTP server
knows that sender domain is participating in this standard, the
list of MX RRs contains a complete list of the SMTP clients authorized
to send mail for the sender domain, and that the SMTP server is
unauthorized. The SMTP server therefore rejects the message.
4. Otherwise the sender domain is not particpating and the SMTP
server does not know whether the SMTP client is authorized to send
the message. The SMTP server procedes according to local policy
and other standards.
Note that:
- An authorized SMTP client need not be an SMTP server. While its
IP address will found by other SMTP clients looking for an SMTP
server for the domain, its preference will be numerically higher
than all working SMTP servers. Only when all other SMTP servers
are also not working will SMTP clients try to send to it. They
will immediately receive and ICMP Port Unreachable and give up.
- Most mail will already pass this test, because it is sent from
SMTP clients that are also SMTP servers for the sender domain.
- Step #1 is currently used. Many SMTP servers, albeit a small
fraction of all SMTP servers, reject mail that does not satisfy
the test in step #1.
- The preference 65391 is choosen to be probably not currently used
in any MX RR in the Internet.
- This scheme is better than the RMX proposal because it has achieves
the same goal, does not require the standardization and implementation
of a new DNS RR in DNS server software and MTAs. It requires
only small changes in system administration conventions and modest
changes in MTAs.
- I do not like this scheme, because I do not agree with the goal of
forcing people to use the same going as incoming ISPs.
Vernon Schryver vjs(_at_)rhyolite(_dot_)com
_______________________________________________
Asrg mailing list
Asrg(_at_)ietf(_dot_)org
https://www1.ietf.org/mailman/listinfo/asrg