ietf-asrg
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: [Asrg] 3b. SMTP Session Verification - The Forwarding Problem

2004-02-10 03:44:12
from [Brett Watson] [Permanent Link] 
Jon Kyme said:

There's been discussion of ENVID on this list.


By ENVID, I take it that you mean RFC 3461. The last flurry of conversation 
about this was in December 2003 (relatively recently), although it's popped 
up a couple of other times also. Perhaps you can elaborate on why you see it 
as a viable solution; I see some problems with it.

The ENVID value itself isn't useful for determining whether or not a sending 
system has authority to use any given "MAIL From:" address. This *could* be 
useful if there were a means to call back the alleged originating system and 
verify the ENVID (since it should have originated there), but my skim-read of 
RFC 3461 did not uncover any such verification mechanism. It's not clear to 
me how ENVID is useful in the current context.

The same RFC also has the ORCPT parameter to the RCPT command, which is 
similar in principle to what I am suggesting, but with significant 
differences. For starters, ORCPT keeps only the original recipient, not a 
forwarding path. There are still scenarios in which a sending MTA may produce 
an envelope containing no addresses for which it has LMAP authorisation. For 
example, mail from <A> to <B> which is forwarded to <C>, then to <D>. In the 
transfer from C to D, we will have "MAIL From:<A>", and "RCPT To:<D> 
ORCPT=rfc822;B". <C> is no longer mentioned.

Despite superficial similarity, my proposal is mostly orthogonal to ORCPT. 
"VIA" is intended to keep a track of the route a mail message takes on its 
way to the final recipient in a purely ESMTP environment. ORCPT tracks only 
the original recipient, and is designed to take mail gateways into 
consideration.

Additionally, the "VIA" specification could require that the most recent hop 
in the path be verifiable by some means (ie LMAP), if we ever agree on a 
standard means of testing. Failure to pass the test will be valid grounds for 
rejecting the message. In contrast, RFC 3461 (5.1(b)) forbids rejection on 
the basis of the ORCPT or NOTIFY parameters to RCPT (except for invalid 
syntax).

In short, neither ENVID or ORCPT give us data which we can use for LMAP 
verification of forwarded mail, whereas VIA does. I note that ORCPT is a 
paramater to RCPT, and "Via:" should probably be a parameter to RCPT for 
similar reasons.

So far as this mailing list goes, my favourite prior comment on the subject of 
ENVID et al is the following one by Tony Finch.

https://www1.ietf.org/mail-archive/working-groups/asrg/current/msg01854.html

Regards,
TFBW


_______________________________________________
Asrg mailing list
Asrg(_at_)ietf(_dot_)org
https://www1.ietf.org/mailman/listinfo/asrg
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: [Asrg] 3b. SMTP Session Verification - The Forwarding Problem, Jon Kyme
Next by Date:  Re: [Asrg] 3b. SMTP Session Verification - The Forwarding Problem, Jon Kyme
Previous by Thread:  Re: [Asrg] 3b. SMTP Session Verification - The Forwarding Problem, Jon Kyme
Next by Thread:  Re: [Asrg] 3b. SMTP Session Verification - The Forwarding Problem, Jon Kyme
Indexes:  [Date] [Thread] [Top] [All Lists]