ietf-mxcomp
[Top] [All Lists]

RE: DEPLOY - IP, HELO & touch count. DOC-BUG too.

2004-08-26 13:35:19

On Thu, 2004-08-26 at 11:12, Jim Lyon wrote:
Matthew Elvey raises two points that I summarize as follows: 

1. If you don't know what a domain's outward-facing MTAs are,
   it's really hard to build a SenderID record. (And he estimates
   that half of his customers are in this boat.)

True.

2. If instead of SenderID, we'd merely authenticated the HELO name,
   and built up reputation systems that say whether particular
   HELO names behave reasonably, these people's lives would be easier.

It's true, but it's a whole lot weaker form of authentication. 

An authenticated and authorized EHLO domain as an "accountable identity"
is orders of magnitude stronger than what is established using a
Sender-ID selection of an RFC2822 Mailbox Domain as an "accountable
identity."  The authentication of the EHLO domain clearly authenticates
the entity sending the mail as a message broker.  The identity of the
sender is obfuscated by the relayed nature of mail (the many brokers). 
The identity of the sender depends upon these brokers controlling
access.  Any identity that attempts to resolve to a sender is premised
upon each broker controlling access.  Nothing within Sender-ID can
establish this assumption.  Nothing within Sender-ID locates a specific
MTA not controlling access.  Basing reputation on EHLO would locate
faulty MTA administration.  Nothing within Sender-ID allows a strong
assertion of the sender's identity.   

I don't care whether a mail server is who he says he is, I care
whether he's authorized to send the message he's trying to send.

Authentication is not authorization!

A) Is the specific Mailbox Domain within a prescribed Mail Channel?
B) Is this the sender of the message?

These are two different questions you seem to be confusing.  By implying
Sender-ID provides the answer to 'B', grievous harm may befall those
submitted to a reputation service.  As the EHLO domain does authenticate
the entity, unlike Sender-ID, this identity can be safely submitted to a
reputation service.  It would be "really good" if Microsoft would
include all the headers when mail gets forwarded to facilitate a
reputation submittal. It would be "really bad" if Microsoft convinced
users, only the PRA is required.  Whether the Mailbox Domain is within a
prescribed Mail Channel forms an entirely different question from
whether is this the sender of the message!

See:
http://www.ietf.org/internet-drafts/draft-otis-marid-mpr-00.txt

Although there may be exceptional Mailbox Domain restrictions or sorting
based upon prescribed message brokers, there is _no_ means to
authenticate the author of message in this manner.  The MTA may be
shared, the MTA may not be checking Mail Channel prescriptions for
submitted Mailbox Domains, and a lapse may occur within either an
inbound or an outbound relay.  SMTP is not an end-to-end system.

-Doug