ietf-asrg
[Top] [All Lists]

Re: [Asrg] VPNs

2009-06-30 04:54:52
Rich Kulawiec wrote:
On Thu, Jun 25, 2009 at 01:37:46PM +0200, Alessandro Vesely wrote:
AFAIK, there is no way SMTP can be configured so that a given sending location can be whitelisted. [...]

Yes, MTAs can be configured so that a given sending location -- that is,
IP address -- is whitelisted.  I do it all the time.  But it's not a
very good solution, and it doesn't scale.  Moreover, it's brittle: if the
sender's outbound mail server changes its address, then it stops working.
Conversely, if someone else acquires that server's previous address,
then it starts working for someone I didn't intend it to work for.

Level of work?  I think, roughly speaking, it's one or two lines of
configuration with most MTAs.  But (as I think you're pointing out) the
actual configuration itself isn't the issue: it's the time and effort
that it takes to figure out what should be in the configuration, and
then to maintain it.

Thanks for confirming that. My feeling is that we are overloading IP numbers with an accountability functionality that doesn't belong there.

For a different approach, there is a Message Security Level[1] SMTP extension that allows the above configuration to be written as

 example.com:  /SECURITY=STARTTLS

for each destination domain. That way, on can establish secure mail delivery channels between trusted domains, connected by an untrusted public network. It works by recognizing the certificates rather than the IP addresses. The option configured merely requires that TLS is used at each hop; it may be specified on the MAIL FROM command.
1: http://www.courier-mta.org/draft-varshavchik-security-smtpext.txt
_______________________________________________
Asrg mailing list
Asrg(_at_)irtf(_dot_)org
http://www.irtf.org/mailman/listinfo/asrg