"Douglas Otis" <dotis(_at_)mail-abuse(_dot_)org> wrote:
A DNS check that obtains a list of addresses for a mailbox-domain, MUST
assume channel integrity when holding the apparent originator of the
message accountable.
What channel? The only parties involved are:
a) SMTP client
b) SMTP server
c) DNS server being queried
The DNS server may return one, or a billion IP's "permitted" to send
MAIL FROM with it's name. Any particular message may have traversed
zero, or a billion intermediate SMTP hops before arriving at the
current SMTP client, and being sent to the SMTP server.
I fail to see how any party other than the three listed above could
possibly be involved in "MAIL FROM" DNS checks. There is no "channel"
beyond the current hop, which can be verified to exist.
Due to forwarding issues, expect many lists to be left "open" to allow
other unknown domains to forward messages.
As has been noted here, as elsewhere, users affected by forwarding
issues are a very, very small percentage of people on the net. As a
result, the reasonable expectation is that very few domains will have
"open" or permissive records.
There are clearly two steps needed, but these two steps have been
collapsed into a one very broken step with SPF or Sender-ID.
Step 1: Authenticate the MTA EHLO name.
Step 2: Compare the mailbox-domain/EHLO list to this name.
I'm not sure what you mean by the second step.
One can not defend assumptions of accountable entities by suggesting
the mail channel is "defined" to have integrity.
You're not addressing my scenario, or my reasons for my position.
You're just labelling my position as based on "assumptions", and
therefore any "definition" I come up with is, in your opinion, defined
to be indefensible.
Listing a name and blocking their mail because you don't care which entity
actually caused the message to be sent is also... not nice.
Which is why I didn't say that. Please don't accuse me of saying "I
don't care", it's rude and insulting. My position, if you had read my
messages, is that IF the recipient cannot tell the difference between
"good" and "bad" originators, then he MUST treat them as identical.
Because, by definition, he has no information by which to distinguish
them.
Unless.. do you have a way for the recipient to treat "good" and
"bad" originaters differently, in the absence of any data which can be
used to distinguish them? If you do, I would be... surprised.
What entity should be held accountable? The entity authenticated as
sending the mail, or the mailbox-domain that authorized the mail to be
sent?
Each has a different role, therefore their accountability should be
different.
Obtaining an authorization is not the same as authentication of the
acting entity.
I'm not sure how that applies to the issues on this list.
An SMTP server can obtain authentication information from a DNS
server for an SMTP client, and use that information to authorize the
client. If there's no authentication information available, then the
SMTP server cannot use that information to authorize the user.
MAIL FROM and EHLO based checks are identical in security.
These checks are not the same.
Which is why I didn't say they were the same.
You are devising a system that requires mailbox-domains authorize
other domains to send their mail.
No. "domains" don't send mail. SMTP clients send mail, and use
domain names in fields in SMTP. The difference is crucial. SMTP
clients can be correlated to domain names via:
- rDNS
- EHLO
- MAIL FROM
And not much else. Because there is no easily available mapping of
"domain" to SMTP client, other than those fields, SMTP servers cannot
use anything other than those fields to tie the SMTP client to a
domain name. So talking about "authorizing domains" is a
misconception. SMTP clients are authorized, nothing else can be.
If the sending MTA EHLO name is authenticated and authorized by the
EHLO domain, then it does not matter what mailbox-domain is sent,
this EHLO entity can be safely held accountable for the MTA actions.
How? In contrast, by checking MAIL FROM, you can at least have some
confidence that a bounce path exists, and any errant message will be
accepted by the originator.
If someone can't tell the difference between two things, then it
MUST treat the two things as identical.
But these things can be identified by an authenticated EHLO name. They
MUST NOT be treated as identical.
If two domains use the same MTA, which uses only one authenticate
EHLO name, then by your definition, only the domain in EHLO can be
held accountable, and all recipients must therefore treat the two
domains identically.
Hmm... have I used your definitions to prove my point?
A reputation service spends most of their efforts ensuring information.
Using the IP address makes this process rather straight forward. Using an
authenticated EHLO name follows the same model and directly identifies
those sending the messages.
It authenticates the MTA sending the messages, which is a little
different.
To suggest that because the EHLO domain was not considered, means a
reputation service can safely hold entities accountable for the
action of others will not have much sway.
It's not unreasonable to hold multiple parties accountable for a
message. ISP's are already holding other ISP's responsible for the
actions of their customers. It's not unreasonable to use MAIL FROM
accountability in addition to EHLO.
Alan DeKok.