With LMAP, authentication is done to the originating domain, as opposed
to per-hop basis.
That's the phrasing I was looking for. Thanks. It's been a long day.
However, it seems to me that in cases where someone outsources their
email delivery, there will be significant administrative issues since
the owner of the domain will have to list all possible outbound servers
of the outsourcer in LMAP records. And anytime this information changes,
the DNS records need to be updated.
One word: delegation.
If *all* of their mail is outsourced, then the LMAP records can be
delegated to the domain which performs the delivery.
If some of the mail is outsourced, then this will be discovered
because the outsourced machine will probably do:
EHLO outsource-machine.example.com
MAIL FROM: anonymous(_at_)example(_dot_)net
The LMAP system can check:
1) reverse-ip._lmap_.example.net
2) reverse-ip.example.com._lmap_.example.net
The first question asks: "is this IP authorized to send messages as
example.net?" If the answer is no, the second question is asked,
which is:
"Is this IP, which claims to be within example.com, allowed to send
messages as example.net?" example.net can then do something like:
example.com._lmap_.example.net IN PTR _lmap_.example.com
That should be easy to do, and should simplify a lot of the
delegation issues.
Alan DeKok.
_______________________________________________
Asrg mailing list
Asrg(_at_)ietf(_dot_)org
https://www1.ietf.org/mailman/listinfo/asrg