On Fri, 2004-04-23 at 14:57, Yakov Shafranovich wrote:
I would agree with John that a domain does not employ MTAs but rather
tells the outside world which domains handle outbound email for it
(outbound deployment). The domain IS NOT stating that is has control
over the MTAs in question, rather that they relay email for this domain.
HOWEVER, if HELO 2821 is used then you are stating that the MTA in
question is under your control.
Think of the problem as determining the responsible party in a circle of
trust. In that case, you want to know who is running the MTA and
whether they can be trusted. If the scope of what needs to be achieved
is to establish the responsible domain for the current SMTP connection,
then no SMTP protocol changes are required nor do any headers need to be
revised. Only a clarification as to which fields and their priority
used to establish a responsible domain is required of any standard that
specifies the DNS entry used in this process.
Any header affirmation can be forged without cryptographic third-party
verification, however relaying notice of a lack of domain verification
via a new X-header field would have value in terms of instructing users
and operators on a lack of conformance to the recommendations. Over
time any MTA failing to add this notice could be considered
non-conforming and this function can be done within the same milter
plugin that provides the DNS query.
Once these notifications become few, the MTA policy can then change how
these connections are handled. This also provides a responsible domain
to be queried for adherence to acceptable use polices. It would seem
completely fruitless to expand a circle of trust to include users where
this circle then becomes infinitely large.
Asserting a domain using helo seems relatively benign and provides for
forwarding. Either trust the domain in regards to their accounts and
their lack of header spoofing or not.
-Doug