On Jun 11, 2008, at 1:48 AM, Charles Lindsey wrote:
On Tue, 10 Jun 2008 18:34:57 +0100, Douglas Otis <dotis(_at_)mail-
abuse.org>
wrote:
On Jun 9, 2008, at 9:21 PM, Jim Fenton wrote:
Since it apparently isn't clear: I am proposing retaining the
NXDOMAIN domain validity check as a MUST. It is only the MX and A/
AAAA check that I'm proposing be changed from a SHOULD to a MAY.
The situation created by MS Exchange creates a problem where just
an NXDOMAIN check is still problematic. While NXDOMAIN might occur
for any leaked X.400 address or typical
"somebody(_at_)something(_dot_)invalid", NXDOMAIN results might also occur
with any proxy SMTP addresses assigned by MS Exchange. This occurs
since MS Exchange assignments and routing do not depending upon DNS
records. Such an NXDOMAIN test would disrupt messages created by
the company where I work, for example. In addition, unless the
test goes one step further to determine whether a domain appears to
support SMTP, this would offer far less utility in preventing
address spoofing. Nor could just an NXDOMAIN test offer protection
for non-SMTP domains.
But you have repeatedly failed to explain how a verifier could
recognise and handle this case in a manner that did not leave a
loophole for all the scammers and spoofers to walk through. If some
message arrives with a From that includes a proxy SMTP address
assigned by MS Exchange (which will surely result in NXDOMAIN), what
do you want the Verifier to do? Is there some way that is can
recognise this as a proxy address and let it through whilst still
rejecting things apparently from the domain funny.ebay.com?
It is impossible for a verifier to determine the nature of an NXDOMAIN
result when validating From email-addresses. Validating that the From
domain might support SMTP (or that it exists) is not limited to
domains using DKIM or those that may publish ADSP at some domain
level. While a domain validation effort might be seen as necessary in
the elimination of address spoofing (and to limit where publishing
practices might be required), the impact of domain validation is
global. As such, domain validation should be seen as a systemic
change to SMTP, and not simply as an aspect of ADSP.
Once SMTP interoperability is changed to require the From (or all
originating) email-address domains to publish records supporting SMTP,
some messages will not be compliant. When imposing this requirement,
provisions should be available that allow receiving hosts to make
exceptions based upon either the domain or IP address of the SMTP
client. A means to make exceptions ensures crucial systems remain
functional even when DNS is inoperable. Exceptions also provide a
solution while waiting for non-complaint domains to become compliant.
If some companies using MS Exchange allow such messages to escape,
then I am afraid that is just Tough! It is a stupid behaviour. I
might accept that domains whose TLD clearly did not exist could be
exempted from the NXDOMAIN check in ADSP.
Which TLDs should be ignored? Imposing SMTP domain requirements will
likely reveal a need to make many exceptions. Do you agree there
should be a means for making exceptions? Whether making address
assignments exclusively within MS Exchange is considered stupid (and
you'll find agreement there), imposing a requirement that email-
addresses must be valid (in some manner) changes SMTP
interoperability. As it is now, recipients will normally see these
messages (which may not expect a response), and might even be
considered an alternative to the use of "do-not-reply@" local-parts.
And what do you mean by a "non-SMTP domain. AKAIK the phrase is
meaningless.
A domain publishing SMTP discovery records could be defined as a
possible SMTP domain. With even greater certainty, those that don't
can be described as a non-SMTP domain. IMHO, a draft defining what
might be an SMTP domain should exclude AAAA from a list that provides
confirmation of SMTP support. AAAA records for SMTP discovery
supports a case where local host definitions are needed, especially
when DNS is not available. Just as with a local host definition,
exceptions made for publishing MX records also are needed for crucial
systems. In practice, SMTP already requires extensive client
evaluation. An option for requiring or allowing exceptions for SMTP
domain support by receiving hosts seems an appropriate means for
imposing the requirement. Judging by the growing impatience, this
strategy should be published in a separate draft from that of ADSP.
-Doug
_______________________________________________
NOTE WELL: This list operates according to
http://mipassoc.org/dkim/ietf-list-rules.html