ietf-mxcomp
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: A 40% solution?

2004-05-13 14:17:04
from [John Leslie] [Permanent Link] 

Andrew Newton <andy(_at_)hxr(_dot_)us> wrote:


Let me try to stepify what you are saying:

Step 1: obtain domain name from HELO/EHLO


   Yes.


Step 2:  DNS query
input:   domain name
output: "MARID level" (this is a policy acceptance level), list of 
reputation services, some flags


   Yes.


Step 3: DNS query
input:  rDNS of SMTP source in _HELO.domain tree
output: "MARID level"


   Not exactly.

   (Ignore for the moment my hand-waving about being able to skip this
step some large fraction of the time.)

   The output signals which of the four sets that IP address belongs to.
The "MARID level" comes at step 2.


Step 4: query reputation service(s)


   Yes, assuming the IP address is in the "known-good" set.


Step 5: If match, report "good"


   Yes. In the best case, this means skip 2821 MAIL FROM checking.

   There's room for yet more hand-waving about the other possibilities.


Step 6: obtain domain name from email address of MAIL FROM


   Yes.


Step 7: DNS query
input:   domain name
output: "MARID level" (this is a policy acceptance level), list of 
reputation services, some flags


   Yes.


Step 8: DNS query
input:  rDNS of ?????? in _MAILFROM.domain tree
output: "MARID level"


   Again, we get set membership, not MARID level.


Step 9: query reputation service(s)


   Yes.


So, what is the "MARID level" in step 2 used for?


   That is the level of MARID compliance claimed for the sending MTA.
It is used (along with a second-opinion from the reputation service)
to decide what the sending MTA should be trusted to have already done.


And where does the IP address for Step 8 come from?


   That is the IP address of the sending MTA (unchanged from the
earlier HELO/EHLO test). We're interested in determining whether that
MTA should be trusted to have already verified the goodness of the
2821 MAIL FROM bounce address.

====
   Though you didn't ask, the MARID level is necessarily the same for
both tests, because it's the same MTA under the same management. But
the MARID level might possibly indicate full compliance for HELO and
no checking whatsoever for MAIL-FROM.

--
John Leslie <john(_at_)jlc(_dot_)net>
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: What to check? (was Re: Caller ID and ease of adoption, Matthew Elvey
Next by Date:  Re: A 40% solution?, Andrew Newton
Previous by Thread:  Re: A 40% solution?, Andrew Newton
Next by Thread:  Re: A 40% solution?, Andrew Newton
Indexes:  [Date] [Thread] [Top] [All Lists]