ietf-mxcomp
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Sender-ID and last hop validation

2004-08-18 16:13:48
from [Nate Leon] [Permanent Link] 

Do I understand correctly that Sender-ID only authenticates the most
recent hop?  In the simple case, this is the domain where the client
lives that sent the message.  But in the more complex case, there may be
forwarding hosts in the middle.

i.e. my receiving MTA will authenticate the SMTP client delivering the
message to me. Specifically, it will ask, is the IP address connecting
to me authorized to send mail for the domain listed in the Purported
Responsible Address?

Or in example form... Some Guy at Yahoo! sends a msg to my Pobox.com
account (assuming I had one :-) which in turn, forwards the message to
MyWork address.  Thus, the MTA at MyWork will see the msg coming from
Pobox.com and validate that the Source IP address of the incoming
message is authorized to send mail for the Pobox.com domain.  The
receiving MTA at MyWork.com does not authenticate anything about the
yahoo.com domain.

Simple illustration:
   SomeGuy(_at_)yahoo(_dot_)com ---> nleon(_at_)pobox(_dot_)com ---> 
nleon(_at_)MyWork(_dot_)com

Gory detail example...

   EHLO host.yahoo.com
   MAIL FROM:<SomeGuy(_at_)yahoo(_dot_)com>
   RCPT TO:<nleon(_at_)pobox(_dot_)com>
   DATA
      Subject: let's do lunch
      ...
      From: SomeGuy(_at_)yahoo(_dot_)com
      To: nleon(_at_)pobox(_dot_)com
      ...

Hopefully, the MTA @ pobox.com validates against yahoo.com
Pobox pre-pends a new header, and delivers the message to MyWork...

   EHLO host.pobox.com
   MAIL FROM:<SomeGuy(_at_)yahoo(_dot_)com> 
SUBMITTER=<nleon(_at_)pobox(_dot_)com>
   RCPT TO:<nleon(_at_)MyWork(_dot_)com>
   DATA
      Subject: let's do lunch
      Resent-From: nleon(_at_)pobox(_dot_)com
      ...
      From: SomeGuy(_at_)yahoo(_dot_)com
      To: nleon(_at_)pobox(_dot_)com
      ...

Finally, the MTA @ MyWork validates against pobox.com (and not
yahoo.com)

So Sender-ID relies on the MTAs at each hop to do the authentication?

If I was using P-U-box.com (instead of POBox.com) and the MTA at P-U-box
didn't know about Sender-ID, I could receive junk at MyWork with an
SPF/PASS. (assuming P-U-box did publish SPF records)  Then I would
obviously change my service provider, or yell at them until they
implemented Sender-ID. :)

Please correct any mis-understandings!

TIA,
Nate
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  RE: Forged Sender (Resent-From) attacks, Harry Katz
Next by Date:  IP Address spoofing, Nate Leon
Previous by Thread:  RE: Point of Order: Incomplete, flawed response to MARID WG Chart er, Hallam-Baker, Phillip
Next by Thread:  Re: Sender-ID and last hop validation, Alan DeKok
Indexes:  [Date] [Thread] [Top] [All Lists]