Le lundi 26 Juillet 2004 23:01, Douglas Otis a écrit :
By making the authorization
based upon the message (RFC 2822), rather than the MTA (RFC 2821), the
overly broad nature of this task removes a clear definition of the
identity being checked.
Absolutely. At 2821 stage, we currently have ONE un-ambiguous sender identity,
which is MAIL FROM.
It is obvious to common sense that we should base our controls upon the
provided identity that is given to us, rather than having to reinvent, dig
out from the 2822 headers thru complex circonvolutions or whatever, another
supposedly "better" identity that we would like to check instead of the one
that has been given to us in the first place.
Shadok's word in french:
"Pourquoi faire simple quand on peut faire compliqué ?" ;-)
--
Michel Bouissou <michel(_at_)bouissou(_dot_)net> OpenPGP ID 0xDDE8AC6E