On Monday, August 09, 2004 4:49 PM Shevek wrote:
On Mon, 9 Aug 2004, Harry Katz wrote:
On Monday, August 09, 2004 10:24 AM ned(_dot_)freed(_at_)mrochek(_dot_)com
wrote:
First, I am not proposing anything here. Not only is
SUBMITTER not
my idea, I have been quite clear that I am ambivalent about its
inclusion in MARID.
Second, the optimization in case 1 isn't a failure case but a
success case.
There may be a throughput improvement in some MTAs if the
check can
be done sooner. Mind you, I'm not saying there is
guaranteed to be
such an improvement
- just that it is a possibility. Actual implementation experience
would be needed to tell for sure.
Ned is exactly correct here. The purpose of SUBMITTER is to allow
early (i.e. at 2821-time) verification of the sender's identity,
namely the PRA. At the IETF meetings last week there was some
discussion of whether this would result in bandwidth saving,
throughput improvement, or no benefit at all. I tend to
think there
will be modest throughput improvement, but agree with Ned
that we need to verify through testing.
This is incorrect. At 2821 time, we know only who the sender
CLAIMS to be via SUBMITTER. It's not until after 2822 time,
when we can compare the SUBMITTER value to the PRA value
computed from the 2822 headers that we have verified the
identity of the sender.
Actually, it is correct. From section 4.2 of the submitter-02 draft:
If these tests indicate that the connecting SMTP client is not
authorized to transmit e-mail messages on behalf of the SUBMITTER
domain, the receiving SMTP server SHOULD reject the message and when
rejecting MUST use "550 5.7.1 Submitter not allowed."
If the receiving SMTP server allows the connecting SMTP client to
transmit message data, then the server SHOULD determine the purported
responsible address of the message by examining the RFC 2822 message
headers as described in [SENDER-ID]. If this purported responsible
address does not match the address appearing in the SUBMITTER
parameter, the receiving SMTP server SHOULD reject the message and
when rejecting MUST use "550 5.7.1 Submitter does not match header."
In other words, if SUBMITTER is present and fails the Sender ID check at
2821 time, then the message SHOULD be rejected. The subsequent matching
of SUBMITTER to 2822 headers is only to confirm - if DATA is accepted -
that the SMTP client didn't lie about the value.