On Apr 15, 2008, at 4:09 AM, Charles Lindsey wrote:
On Mon, 14 Apr 2008 19:06:05 +0100, Douglas Otis <dotis(_at_)mail-
abuse.org>
wrote:
RFC 2822 does not depend upon SMTP as being the message exchange
protocol. In addition, future message exchange protocols may
depend upon different address resolution protocols, such as PRNP.
PPNP avoids any reliance upon DNS, for example. Any protocol that
might replace DNS may also adopt a strategy of DNS independence.
Unless ADSP specifies policies are limited to SMTP, it would be
incorrect to conclude existence checks can or should depend upon
DNS resource records.
But how do you know which protocol the message was written for?
If it arrives at your site via SMTP, then you should apply the ADSP
rules appropriate to SMTP. If it actually started life being
transported by XXTP, then you just have to assume that the XXTP to
SMTP gateway had fixed it up (e.g by not letting it through at all
if it was going to violate someone's policy).
SMTP only defines "MAIL FROM" as an SMTP suitable email-address.
Email-addresses contained within the RFC2822 headers may adopt
different regimes pertaining to different address resolution or
transport protocols. In addition, DKIM is not limited to an email
address suitable for SMTP. One might assume any email-address signed
by DKIM is suitable with SMTP. However, a transport protocol
transition will likely involve transport conversion gateways.
Conversely, if it arrives at your site via XXTP, then it may or may
not be worth trying ADSP on it (depending on whether or not you have
DNS access). It is again really a matter for any earlier SMTP to
XXTP to have sorted the matter out (e.g. by verifying it and not
passing it on if it failed).
For example, assume XXTP uses a different discovery method from that
of SMTP. To clarify a protocol dependence, email-addresses using a
new protocol might include a postfix label of 'xxtp', such as
"jon(_dot_)doe(_at_)example(_dot_)com(_dot_)xxtp
". Here, DKIM could establish associations between the different name
spaces. Unfortunately, attempts at applying an 'existence' test to
support ADSP From header compliance would also make addresses suitable
for different transport protocols fragile when carried over SMTP.
So, ADSP must either assume email-addresses within the From header are
suitable for use with SMTP, and then check for SMTP specific DNS
resource records, or require each domain to publish policy resource
records.
Although there is a difference between accounts.big-bank.com and big-
bank.com, this difference enables a fair amount of spoofing. There
are no practical limits that could be applied to domain tree walking,
since us.accounts.big-bank.com also represents a similar risk.
NXDOMAIN, as a means to circumvent domain tree walking is problematic
when a domain, network provider, or TLD provider make use of
wildcards. NXDOMAIN also assumes _all_ email-addresses contained
within the From header, are suitable for some undefined transport that
also depends upon DNS. While this assumption is often correct, making
this assumption a requirement must be deliberate, where this will
affect SMTP overall extensibility.
-Doug
_______________________________________________
NOTE WELL: This list operates according to
http://mipassoc.org/dkim/ietf-list-rules.html