ietf-asrg
[Top] [All Lists]

Re: [Asrg] Microsoft takes over British Telecom

2011-10-29 04:20:23
On 29/10/2011 02:38, Paul Smith wrote:
On 28/10/2011 19:28, Douglas Otis wrote:
There are many methods that might be used to authenticate outbound MTAs, such as SMTP Auth. Ideally SMTP would include DANE extensions used in conjunction with Kerberos. If it were not for DKIM ignoring prepended headers, it would have merit as an anti-phishing strategy. Since DKIM does not verify who sent what to whom, it can only identify domains considered "too big to block" as well.


(Still doesn't solve forwarding without return path rewriting, or the general authorisation problem, but authenticates the sender MTA effectively, AFAICS)

I've been thinking about forwarding

If you have A -> B, then server B forwards to server C, C can't do any authentication based on A, because A doesn't know about the forwarding (or it would, presumably, just send to C directly).

So, all sender domain authentication fails (without return path rewriting)

So, what you need is for C to be able to give B an authentication key for the forwarding. Then, B could pass that back to C with the message (possibly as a parameter to the RCPT command). The issue with this is that user intervention would be needed - so every time a user wants to subscribe to a mailing list,or set up a forwarding to their gmail account, they would need to go to the destination server, get a key from it, and give it to the forwarding server. This could show consent for any anti-spamming legislation, but could also be too complicated for many users to handle.

The authentication key would need to allow B to send *anything* to C for the relevant recipient, so ideally the key that C gives would be specific to B (to allow it to be revoked in the case of abuse)

Technically this wouldn't need to be hard at all, it's just the manual requirement for key exchange that would be an issue for many people.



_______________________________________________
Asrg mailing list
Asrg(_at_)irtf(_dot_)org
http://www.irtf.org/mailman/listinfo/asrg