ietf-mxcomp
[Top] [All Lists]

Re: Intermediate MTA setting MAIL-From

2004-03-23 17:20:55

Mark,


Who has authority to set the mailfrom?
MCL> The original sending entity, plus any MX handling the mail.

Huh?  Why should an MX (ie, a relay) have authority to redirect bounces?

MCL>   Basically,
MCL> whichever entity is currently handling the mail has the authority to
MCL> change RFC2821 ENVELOPE-FROM.

Oh boy, do I disagree!

That's like saying that anyone in the postal system has the authority to
change the return address on the envelope from me.


MCL>   I can imagine this might stike some
MCL> people as odd, but if we're assuming that the originating entity is
MCL> always forced to go through an authorized MX to send mail, I see no
MCL> reason why that MX can't be granted authority over ENVELOPE-FROM.

MX is outbound, not inbound.   There is no such thing as a "receiving
MX".


If we validate that the field is authentic, what good is that? 
MCL> Well, depends on what you mean by "authentic".  If "authentic" means,
MCL> "is a valid address capable of receiving mail",
...
MCL> If by "authentic" you mean "somehow verified as authoritative for

All of the proposals under discussion provide a formal authentication
mechanism.  That's what I mean by authentic.


What will be better?
MCL> I think additional checks would be beneficial, but I see no reason to
MCL> exclude a check on ENVELOPE-FROM.

Folks need to start paying attention to aggregate costs.  They also need
to pay attention to steps that do not provide significant improvements.
A security mechanism with wasteful requirements winds up being less
secure.



d/
--
 Dave Crocker <dcrocker-at-brandenburg-dot-com>
 Brandenburg InternetWorking <www.brandenburg.com>
 Sunnyvale, CA  USA <tel:+1.408.246.8253>