On Tue, Mar 23, 2004 at 12:52:34AM -0800, Dave Crocker wrote:
Who has authority to set the mailfrom?
The original sending entity, plus any MX handling the mail. Basically,
whichever entity is currently handling the mail has the authority to
change RFC2821 ENVELOPE-FROM. I can imagine this might stike some
people as odd, but if we're assuming that the originating entity is
always forced to go through an authorized MX to send mail, I see no
reason why that MX can't be granted authority over ENVELOPE-FROM.
Similarly, the receiving MX shouldn't be prohibited from altering
ENVELOPE-FROM during processing (though this is more likely to cause
breakage than the other two authorities making changes).
If more than one entity has the authority, what is the relationship
among them?
See above.
If we validate that the field is authentic, what good is that?
Well, depends on what you mean by "authentic". If "authentic" means,
"is a valid address capable of receiving mail", then there's not much
value in it, except to ensure bounces go somewhere. It'll still allow
joe-jobs.
If by "authentic" you mean "somehow verified as authoritative for
receiving bounces for some identity [I'm unclear as to whether this
identity would be derived from HELO/EHLO, RFC2822 identities, or some
combination of these]", the value increases somewhat (though whether
it'll stop practices like joe-jobbing depends on what identity is used
to authenticate, and the constraints of the authentication process).
What will be better?
I think additional checks would be beneficial, but I see no reason to
exclude a check on ENVELOPE-FROM.
What will not be changed?
MTAs will remain misconfigured and insecure, and joe-jobs, or the next
iteration in the evolution of such practices, will still exist.
--
Mark C. Langston Sr. Unix SysAdmin
mark(_at_)bitshift(_dot_)org
mark(_at_)seti(_dot_)org
Systems & Network Admin SETI Institute
http://bitshift.org http://www.seti.org