Alessandro Vesely wrote:
That's the risk we run when _mis_directing ARs. It can be minimized by
choosing a header that MTAs are aware of and actively zap unless
trusted, just like the A-R field of rfc 5451. Possible alternatives
may be to
1. use 5451's authserv-id,
2. create an A-R's extension, or
3. create a brand new header field.
I've been glancing at RFC5451, and beginning to realize that
"destination discovery" by out-of-band methods will make the MUA's job
quite confusing in the case of multiple MDAs. How better to direct it
to the right place if the MDA (or incoming border MTA) can specifically
identify where the reports should go, in-band?
[Yes, I think I've flip-flopped again :-(]
Could we not do this by extending 5451 semantics to have a "where to
complain to" cause?
I note that 5451 specifically talks about/permits stripping of upstream
Authentication-Results:, both where the MTA figures it's being spoofed,
or simply all upstream at gateways or others as policy dictates.
MUAs could merely take the most recent AR headers that have the
appropriate complain-to fields. Exposure is limited to MUAs that will
do this on MTA/MDAs that haven't done anything about AR headers and
doesn't insert one of their own.
_______________________________________________
Asrg mailing list
Asrg(_at_)irtf(_dot_)org
http://www.irtf.org/mailman/listinfo/asrg