A few rudimentary questions first:
1) Are there any CVS test sites to test/compare results?
2) Are there any DNA sites to test/compare results?
3) Do you have a list of CVS ready domains I can use for testing logic?
4) Is Acceditation required for CVS to be useful? In other words, is it
useless without it?
Comments on draft-ietf-marid-csv-csa-00
| 4. Mechanism
|
| The receiving SMTP server's authorization procedure is:
|
| 1. Obtain a domain name that is associated with the sending SMTP
| client.
A suggestion: A technical note should be added about possible syntax
checking and domain literals and how this an appropiate place for an optimal
and quick local domain spoof check.
For example,
- if the IP is a remote address and the client doman is santronics.com. I
don't need to bother with any CVS valdation DNS overhead. Its an obvious
spoof.
- if the client domain is a bracketed IP liternal, it must match the sender
IP. Its an obvious spoof.
Both represent atleast 10-12% of my rejection rate.
Comments on draft-ietf-marid-csv-intro-00:
| 3. Design Goals
|
| o Identification by persistent domain name rather than transient IP
| Address
At first glace the term "persistent domain name" when used as analogy to a
transient IP address, seem to imply that the client domain never changes
from hop to hop as oppose to a IP changing from hop to hop.
So if I understand the term "persistent domain name' it implies that a
consistent domain name is used for CVS publishing and for SMTP Sender usage
in its HELO/EHLO command?
I think the term "Consistent" better applies.
| Section 4.2 Authentication
|
| ....
| What is missing is a useful means of authenticating MTA-MTA exchanges
| over the open Internet. Prior arrangement between such a pair of
| MTAs is antithetical to the history and operation of Internet mail.
Can you give an example of where this is antithetical provided we are not
talking about an open relay? An Internal Domain MTA-MTA implies inherent
trust. An External domain MTA-MTA is an open relay. I can only see to be
valid if the MTA-MTA are part of a "network" or network relationship.
| Spontaneous communications are at the core of Internet design and
| operation. So the challenge is to develop an authentication
| mechanism that permits the necessary amount of accountability,
| without imposing undue overhead or restrictions.
Whats the suggestion for improving accountability?
I guess what I ask asking or saying is that CVS breaks down if the MTA-MTA
is not trusted so it might help to define what this means in terms of
"Spontaneous communications."
Is CVS authentication an "alternative" to the existing authentication method
currently used as requirement for routing?
| 9. Working Group Evaluation
|
| This section contains responses to the issues put forward by the
| MARID working group chairs.
|
| 1. Amount of change in software components
|
| Client MTA's MUST put their registered domain name in EHLO
| announcements.
In addition to this, I see:
1) How CVS is implemented to work with STARTTLS and/or AUTH.
It may require a delay until AUTH is established or the 2nd EHLO is sent for
STARTTLS situations or CVS may change the SMTP extensions response. Your
input would be appreciated.
2) SMTP servers need to maintain a list of acceditation services available.
More be more available for my cheap sysop customers. <g>
3) How #2 is considered may change or introduce a "Check and Egg"
consideration. For example Section 1 says:
| 1. Overview
|
| 3. Query a chosen Accreditation Service for the EHLO domain name
| (see Domain Name Accreditation (DNA) [ID-Marid-CSVDNA])
|
| 4. Query DNS for a SRV record under the EHLO domain name (see Client
| SMTP Authorization (CSA) [ID-Marid-CSVCSA])
|
| 5. Check the flags returned and check for a match in the list of
| returned IP addresses
It might be better to do 4 first before 3 and add SRV information to CSA to
supply the preferred DNA site for the domain. The site must still be among
the servers list of chosen sites the server will honor.
If you don't to this, then the server will probably need to query server
list of DNA sites looking for CSA authorization.
Thats about it for now! Hope this helps.
--
Hector Santos, Santronics Software, Inc.
http://www.santronics.com