Douglas Otis <dotis(_at_)mail-abuse(_dot_)org> wrote:
The MTA may be authorized to send on behalf of MAIL FROM, but that
is not the same as authenticating the entity associated with the
identity MAIL FROM as being the originator.
I agree 100%.
The problem is that because the bounce path is not verifiable, the
originator is anonymous, and the MAIL FROM identity can't be trusted
for anything. In the absence of a method to verify the bounce path,
authenticating the MTA using the domain in the MAIL FROM identity is a
good first step.
I can think of scenarios where a domain sends mail from *only* one
MTA, and that MTA uses EHLO with another domain name. In that case,
the first domain SHOULD have some way of saying "this MTA sends MAIL
FROM using my name". Authenticating the EHLO doesn't get you that
information, so we need something more.
SPF or Sender-ID confirmation does not mean this entity associated
with the MAIL FROM identity had originated the message.
But the recipient can't tell who the "real" originator is. So far
as it seesm the SMTP client talking to it's SMTP server *is* the
originator.
Publishers should expect recipients to do the most curious things,
for the most inane reasons.
What does this mean?
'publishers should also expect to be black-listed when they publish
an "open" record'
Not because it's a good idea, but because people will do anything
they want, including blacklisting domains containing the letter "a".
In other words, our desires about how the records are interpreted
may be written down in a specification, but we should not expect
everyone to follow that specification.
How do you arrive at publishing an SPF record being tantamount to
accepting accountability for all actions of these authorized entities?
If that's what the spec says publishing a record means, that's the
semantics of the record.
If one were to authorize a provider to send mail, and their provider's
system became compromised, would it not be better to accredit the
provider for resulting abuse?
Multiple parties were involved, multiple parties share the
reputation gained through sending those messages.
Won't this resolve the problem sooner than causing an innocent party
to litigate for protection from a sloppy reputation assessment?
That's a local legal issue. Some jurisdictions have reasonable
laws, others don't. We shouldn't let the possibility of legal action
dissuade us from designing a solution.
The marid-mpr draft shows how the authentication of the MTA client can
be accomplished separately from the mailbox-domain authorization. By
doing both steps independently, there is no need to hold the mailbox
domain accountable for the actions of the client MTA they authorize.
Interesting. If I authorize someone to act on my behalf, I am
generally accountable for at least some of their actions. Removing
this accountability is a unique feature of MPR.
Alan DeKok.