"Douglas Otis" <dotis(_at_)mail-abuse(_dot_)org> wrote:
The MAIL FROM mailbox-domain was passed through the mail channel
WHAT "mail channel"? I have described what I think of as the "mail
channel", and given reasons for my conclusions. You haven't.
for messages not originating at the SMTP client.
I explained why the SMTP server cannot verifiably know that, and why
(for all practical purposes), the SMTP client is the only verifiable
originator of the message. You haven't explained why you disagree, or
what errors (if any) exist in my message.
Simply stating a contrary position is not an argument.
This is normally the case for the SMTP client performing public
delivery. This adds at least an additional SMTP client/server pair.
Which is effectively what I said in the paragraph below the one you
quoted, and where I explained why it didn't matter to the SMTP server.
I am not attempting to dodge your scenario. I do not agree you have
adequately described the situation or considered risks involved making
negative assessments against a name.
The risks involved are undertaken by the mailbox-domain, when it
publishes MTA authentication records in DNS. The scope of those risks
are defined by the documents under discussion in this group. As for
my consideration of those risks, I've explained my reasons, and I
don't think I've seen you refute any of them. You've just stated that
you disagreed, and then talked about your position. That's nice, but
it doesn't give me any insight as to why you disagree with my
position, or what's wrong with my position.
The concept of good and bad should be reserved for reputations of
the MTA name.
Why? I've explained why and how MAIL FROM accountability can be
safely applied.
A message (or message action) authorization is not sufficient to
hold the mailbox-domain accountable and asserting a reputation for the
mailbox domain.
Why? If any MAIL FROM authentication system is intended to hold a
domain accountable, then MAIL FROM authorization is perfectly valid
for holding that domain accountable.
You seem to suggest the MAIL FROM and EHLO identities are equally strong.
They are not.
Why? And I'm not suggesting they're equally "strong", but that both
may be used, each for different purposes. Saying "they have different
kinds of accountability" is a clear statement that one may be more, or
less, accountable than the other.
I don't wish to get bogged down in semantics and protocol details.
Uh... what else is there? If we're not going to discuss the
protocols involved, then we're talking about "angels on the head of a
pin", and not doing engineering.
The MAIL FROM name may not correlate to the to entity accountable
for the actions of the MTA.
And sometimes it may. The two statements are not contradictory.
The MAIL FROM name may also correlate with the entity accepting
accountability for the *message*, which is what I've been saying all
along. And that statement does not contradict, or invalidate, the
idea that an entity (possibly different0 is responsible for the
actions of the MTA.
Alan DeKok.