**** DMP ****
1) solid I-D: Yes
There appears to be a security problem caused by the way a failed MAIL
FROM check may fall back to an EHLO check, allowing
unintended forgery.
Alternatively this is a source of troublesome
interoperability problems
if some servers fall back to EHLO and some don't.
Would be eliminated if the EHLO fallback were replaced with checking
Resent-From / SUBMITTER. A domain that wants to forward mail should start
using these, which is the case with marid-core anyway.
That alone wouldn't fix null reverse paths unless EHLO were used exclusively
for those, or the extra information in Resent-From / SUBMITTER were provided.
5) gratuitous incompatibilities: None.
Wildcard MX records.
Use an identical wildcard DMP record alongside it, such as:
$ORIGIN example.com.
@ IN MX mailhost1
* IN MX mailhost1
* IN TXT "dmp="
That would at least prevent forgeries of undefined subdomains until you had
an actual host you wanted to send mail as (like
user(_at_)dummy(_dot_)example(_dot_)com), at
which point you'd create records for it or have the sending server provide
records via dynamic DNS update[1].
Doesn't everything tabled so far break when faced with a wildcard MX record
anyway?
[1] Someone told me providing records dynamically was a problem but never
provided an explanation.
--
PGP key (0x0AFA039E):
<http://www.pan-am.ca/consulting(_at_)pan-am(_dot_)ca(_dot_)asc>
Sometimes it's hard to tell where the game ends and where reality bites,
er, begins. <http://vmyths.com/resource.cfm?id=50&page=1>