ietf-asrg
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: [Asrg] Re: 6 - Designated Relays Inquiry Protocol (DRIP)

2003-06-29 12:18:45
from [Richard Rognlie] [Permanent Link] 
RMX (et al) deal with the envelope from address.  This proposal has
nothing to do with the envelope.  It is an attempt to sanitize the
hostname specified as the HELO/EHLO when connecting to a remote 
MTA.

IOW,  If I connect to a remote MTA and my MTA sends the greeting
EHLO play.gamerz.net.  That MTA can do a lookup of
my_ip_ad_dr._relays_._email_.play.gamerz.net and see immediately
that if it gets my.ip.ad.dr as the response, that, indeed, I am
a DRIP subscribed host.  If any other host attempts to connect
and claim to be play.gamerz.net, the IPs will not match (or there
will be no record at all).

If the IPs do not match, it is a host forging my hostname.  Drop
the connection like a hot potato[e].  If no record is returned at all


D'oh!  I forgot to mention.  We don't actually drop the connection here.
We can't.  It might be a host that is doing the EHLO in preparation
for an SMTP AUTH session for a true "local" user, who happens to be
roaming.   We don't start rejections until later (during the env-from
when I can check the status of the SMTP AUTH flags [in the milter
implementation, anyway.  other MTA implementations methodologies may
vary])


I can't glean anything (yet).  The RECOMMENDED behaviour is to 
stop dropping hostname parts...
    my_ip_ad_dr._relays_._email_.gamerz.net 
    my_ip_ad_dr._relays_._email_.net 

If either of those return a value, I can say "gamerz.net" does claim
to support DRIP records.  but since play.gamerz.net was not found
that host is not authorized to send mail OUT...  It should have sent
mail via the designated gamerz.net relay.  And as such, I should 
drop this connection.

If no records of any kind are found (even when searching the parents)
I know this domain does not subscribe to the DRIP idea.  I can't
assume anything.  But long(ish) term, if enough domains adopt DRIP,
MTAs might adopt a "if I can't get your DRIP records I won't talk to 
you"  (much like the current "if I can't resolve your reverse DNS,
I won't talk to you")

Richard "who should be working on the DRIP milter, but its too nice
outside, so is going to the pool" Rognlie


-- 
 /  \__  | Richard Rognlie / Oracle Prophet / Gamerz.NET Lackey
 \__/  \ | http://www.gamerz.net/rrognlie/    <rrognlie(_at_)gamerz(_dot_)net>
 /  \__/ | The past is the future
 \__/    |                  Nobody expects the spammish inquisition

_______________________________________________
Asrg mailing list
Asrg(_at_)ietf(_dot_)org
https://www1.ietf.org/mailman/listinfo/asrg
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: [Asrg] Re: 6 - Designated Relays Inquiry Protocol (DRIP), Yakov Shafranovich
Next by Date:  Re: [Asrg] Re: 6 - Designated Relays Inquiry Protocol (DRIP), Yakov Shafranovich
Previous by Thread:  Re: [Asrg] Re: 6 - Designated Relays Inquiry Protocol (DRIP), Richard Rognlie
Next by Thread:  Re: [Asrg] Re: 6 - Designated Relays Inquiry Protocol (DRIP), Yakov Shafranovich
Indexes:  [Date] [Thread] [Top] [All Lists]