ietf-mxcomp
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: Passing authentication information via SMTP

2004-03-03 15:26:27
from [Yakov Shafranovich] [Permanent Link] 

Jon Kyme wrote:

Y.S. wrote:
The MAIL FROM parameter does not tell us where the mail is from, only the bounce address for that email. The assumption is that whoever is the bounce address is, is probably the sender, but in many cases especially mailing lists, that is not true. As a matter of fact in some protocols such as SMTP AUTH, the sender's identity is passed in an SMTP extension separate from the bounce address. 


Or the other way up:
The assumption is that the address given as the sender in the MAIL FROM is
useful as the bounce address.

The MAIL FROM argument is *used* for bounces, but it's use in LMAP
doesn't seem to be contrary to its purpose of specifying the "sender" mailbox:
Please understand that I am not against using the envelope from, but the fact that its meant for something else needs to be stated. If my consent is required in order to use my address as a bounce address, that's a useful addition for the mail system. But if we want to do that, AND pass authentication information on the original sender, that's two different purposes.
In my understanding the RFC appears to be ambigious since it does state that the sender's address is only used for error reporting. My understanding of the RFC that its only meant for error reporting is based on a conversation with Pete Resnick who edited it.
Additionally, the analogy on which its based is the real world postal system where the sender's address on the envelope indicates the return address but not necessarily the person that send it. 

Also, RFC 2554 defines an additional parameter in MAIL FROM:

"5. The AUTH parameter to the MAIL FROM command

   AUTH=addr-spec

   Arguments:
       An addr-spec containing the identity which submitted the message
       to the delivery system, or the two character sequence "<>"
       indicating such an identity is unknown or insufficiently
       authenticated.
"
Apparently the MAIL FROM command was not sufficient for this purpose since it indicates the bounce address. This parameter was added in order to pass authentication information. 

Yakov
P.S. The description from RFC 2554 eerily reminds me of some of the text describing LMAP.
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: Principles of Spam Abatement, Yakov Shafranovich
Next by Date:  Re: MBONE access?, ned . freed
Previous by Thread:  Re: Passing authentication information via SMTP, Jon Kyme
Next by Thread:  Re: Passing authentication information via SMTP, Jon Kyme
Indexes:  [Date] [Thread] [Top] [All Lists]