On 28/10/2011 19:28, Douglas Otis wrote:
There are many methods that might be used to authenticate outbound
MTAs, such as SMTP Auth. Ideally SMTP would include DANE extensions
used in conjunction with Kerberos. If it were not for DKIM ignoring
prepended headers, it would have merit as an anti-phishing strategy.
Since DKIM does not verify who sent what to whom, it can only identify
domains considered "too big to block" as well.
Excuse me for being thick, I'm trying to understand your thoughts.
I can sort of see how you could AUTHENTICATE outbound MTAs, however
that's not the problem as far as I can see. You can reliably
authenticate an outbound MTA based on its IP address at the moment
(although that would probably be less useful than authenticating a
'group' of MTAs based on the owner, eg Yahoo, and will be less useful
with IPv6). Some of the technicalities of authentication based on
cryptographic means are a bit unclear, but I can see that it could
probably be made to work.
However, once you have authenticated the MTA, you then need to decide
whether to authorise it,and what to authorise it for. Are you talking
about just authorising it to be able to send mail from a particular
domain? (If so, I'm not sure how this fixes the 'forwarding problem'),
or authorising it be able to send mail to me at all? (in which case, who
would decide on that authorisation?)
(AFAICS Something like SRS should probably be able to fix the forwarding
problem if the rest of the system is setup correctly)
You say "Ideally SMTP would include DANE extensions used in conjunction
with Kerberos" - now, I'm not very familiar with DANE or Kerberos at the
moment, but I think DANE lets you associate a certificate with a domain
name using DNS - yes?. Since it wouldn't be possible for a sending MTA
to authenticate using such a certificate based on the sender's email
domain, I presume you mean it will use the certificate based on the
MTA's reverse DNS entry? So, how would that link the sending MTA with
the sender's email address?
And would Kerberos need a separate server? If so, where would that be,
the sending or receiving end? (I'm not sure I like the idea of having to
use Kerberos)
If you are just going to authenticate based on the MTA's reverse DNS,
then why not just mandate TLS and authenticate the client certificate
using DANE?
Could you not change SMTP to go something like:
EHLO sender
220 ENVSIGN CHALLENGE=RandomText
MAIL FROM: <sender(_at_)domain(_dot_)com>
220 OK
RCPT TO: <rcpt1(_at_)user(_dot_)com>
220 OK
RCPT TO:<rcpt2(_at_)user2(_dot_)com>
220 OK
ENVSIGN: <PKI signature of
RandomText+sender(_at_)domain(_dot_)com+rcpt1(_at_)user(_dot_)com+rcpt2(_at_)user2(_dot_)com>
220 OK
The sender signs the envelope data using the private key; the public key
is exposed using DNS or something (DANE?) . Kerberus isn't needed, and
the sending MTA can send from multiple different domains in a single
session.
(Still doesn't solve forwarding without return path rewriting, or the
general authorisation problem, but authenticates the sender MTA
effectively, AFAICS)
_______________________________________________
Asrg mailing list
Asrg(_at_)irtf(_dot_)org
http://www.irtf.org/mailman/listinfo/asrg