Greg Connor [mailto:gconnor(_at_)nekodojo(_dot_)org] wrote:
Jon Kyme:
No.
This is not erroneous. It's in accord with the published
record and
with the final recipient system policy. It's correct.
Try again.
--Harry Katz <hkatz(_at_)exchange(_dot_)microsoft(_dot_)com> wrote:
So just to make sure I understand correctly, under the
policy you've
defined, the sender is essnetially giving permission to
receivers to
reject mail if the MAIL FROM domain fails to be validated, right?
YES.
But senders have absolutely no knowledge about what forwarding
relationships the recipients may have set up. Thus, they have no
way
to know whether or not their messages will be accepted or rejected
under this policy.
Correct, the sender will get a bounce in this case saying the
message could not be delivered.
That causes two problems:
1. If spoofed mail has been sent through a non-SRS compliant forwarder
(i.e. almost all of them today) then a joe job results. By rejecting
mail at MAIL FROM you are contributing to one of the problems you're
trying to solve.
2. This approach raises the bar considerably for legitimate senders to
be assured their mail is getting delivered. They not only have to know
the email address of the recipients. They also have to know that every
forwarder that every recipient might choose to use has implemented SRS
or some form of rewriting. This will do nothing, to say the least, to
restore confidence in the reliability of email from the perspecive of
legitimate senders.
In other words, the policy you've stated is equivalent to "We're
sending
mail from this set of IP addresses. We don't really care whether
they
get delivered or not."
Not necessarily. It's the responsibility of any mailer accepting the
message to either deliver it or return it.
The sender has no control over what the receiver does or does not do
with the message. Your policy implies they don't care.
If the sender and receiver are
both using LMAP-MAIL-FROM, AND the forwarder doesn't rewrite, AND the
receiver didn't whitelist the forwarder, THEN the message is
returned to sender.
How can the forwarder be whitelisted when the forwarder doesn't rewrite?
The forwarder doesn't appear in the MAIL FROM. Only the original sender
does. So you can't base rejection on MAIL FROM.
Other than spammers themselves, who would be willing to make such a
policy statement? And if a domain IS willing to make such a policy
statement, why shouldn't the receiver just reject ALL mail coming
from
that domain?
Not sure why this is a hard concept. Perhaps you could explain what
directOnly is for and I can replace some key words and give
you back the
explanation you are seeking.
I'm asking a very simple question here: What domains don't care whether
or not their mail gets delivered?
In general, an MTA should either be an agent for the sender,
or an agent
for the receiver. Third-party MTAs don't get involved just
on a whim;
either the sender or the receiver asked for them to be
involved. If a
receiver wants to receive forwarded mail, the forwarder needs
to comply, or
they need to make an exception for that forwarder.
But as I noted above, the receiver can't make an exception (i.e.
whitelist) because the forwarder doesn't appear in the MAIL FROM. So
that means all forwarders have to rewrite.
I asked for a scheme that permits correct rejection at MAIL FROM in the
face of non-SRS forwarders. You've responded with a scheme that
requires universal SRS deployment.