Section 4.2:
If these tests indicate that the connecting SMTP client is not
authorized to transmit e-mail messages on behalf of the SUBMITTER
domain, the receiving SMTP server SHOULD reject the message and when
rejecting MUST use "550 5.7.1 Submitter not allowed."
What if the SMTP server doesn't support ENHANCED-STATUS-CODES? What about
error message i18n and l10n? The same comments apply to the next two
paragraphs. There's also no reference to RFC 3463 in the draft.
Verifying MTAs are strongly urged to validate the SUBMITTER parameter
against the RFC 2822 headers; otherwise, an attacker can trivially
defeat the algorithm.
Is that a MUST or a SHOULD? Isn't it redundant with the previous paragraph
but one?
Tony.
--
f.a.n.finch <dot(_at_)dotat(_dot_)at> http://dotat.at/
FISHER GERMAN BIGHT: SOUTHERLY 3 OR 4. MAINLY FAIR. MODERATE OR GOOD.