Alessandro Vesely <vesely(_at_)tana(_dot_)it> wrote:
John Leslie wrote:
The CSV paradigm is that the operator of a MTA should exercise some
responsibility for what is sends. The HELO string identifies the MTA
(though not necessarily one string exclusively by one MTA), and the
DNS management for that domain-name string states whether that domain
exercises responsibility (and by automatic return of A)ddress RRs on
SRV queries, what IP address(es) that MTA uses).
The link from the MTA to its operator is still missing.
CSV doesn't try to enforce any particular link, but that doesn't
imply there is none.
While this perhaps comes "close", it's not designating an "accountable
party"; and the IP address is related to the HELO string, not the other
way around. It does _not_ lead to an "accountable party" -- it merely
associates a reference string (the domain name) that we can use as a
query to reputation services.
To this end, I'd prefer the use of a domain name. One reason is that
large ESP have many MTAs that can be used interchangeably. In
addition, the person responsible for an MTA is not always identifiable
(in Italy, the mandate to state who are the sysadmins of an MTA is
being procrastinated every few months, since November 2008.) By
contrast, domain registrants often have whois records pointing to them.
I think I'm catching on: you want to link the MTA to a _registered_
domain.
You should, IMHO, say so in the I-D: "domain" by itself doesn't
convey the idea of "registered domain".
RFC5068 deals with the operation of Mail Submission Agents. I don't agree
it even "suggests" how accountability should follow the message as it
winds its way to the recipient.
It does. Notwithstanding the sentence you quoted, there is a
"Submission Accountability after Submission" paragraph in section 3.1,
saying
For a reasonable period of time after submission, the message
SHOULD be traceable by the MSA operator to the authenticated
identity of the user who sent the message.
This deals _only_ with logging practices (or whatever magic) of the
operators of the Mail Submission Agent -- it implies nothing about
MTAs that may relay the message.
A similar norm is mandated by anti-terrorism regulations, in the EU at
least.
Indeed, various jurisdictions write laws and regulations. We should
allow for them wherever practical, but we can't adopt an international
standard to every jurisdiction's laws and regulations.
That way, accountability could be theoretically traced, _if_ the first
submission followed those guidelines. While I can be reasonably sure
that the connecting client is not an open relay, after IP based DNSBL,
I have no means to know that the site either enforces the submission
protocol in general, or did so for at least the messages it is about
to relay.
I do not believe that you'll know any better by linking to a
registered domain, but YMMV. I will stipulate that in the absence of
a reputation service, the _explicit_ link to a registered domain
gives a bit more clout to an assumption that the domain registration
information is a "responsible party"; but neither domain registrars
nor the VHLO draft would enforce much of anything. :^(
--
John Leslie <john(_at_)jlc(_dot_)net>
_______________________________________________
Asrg mailing list
Asrg(_at_)irtf(_dot_)org
http://www.irtf.org/mailman/listinfo/asrg