Douglas Otis <dotis(_at_)mail-abuse(_dot_)org> wrote:
You describe that as authenticating the MTA, but what this operation is
doing is validating the MTA as authorized to send a message containing
the MAIL FROM.
<sigh> The recipient (SMTP server) is authorizing the MTA (SMTP
client) as an MTA authentically within the domain named in MAIL FROM.
There are two things needed as independent steps. One, authenticate the
name of the MTA to allow safe reputation assertions.
And that's where I disagree. For me, the point of MAIL FROM
authentication is not about reputation assertions, it's about the
ability of the domain named in MAIL FROM to control the use of it's
name.
e.g. example.com & example.org share an outgoing MTA:
out.example.com. In SMTP conversations, it announces itself as "EHLO
out.example.com". It may then say "MAIL FROM: user(_at_)example(_dot_)org".
Nothing in SMTP today permits the recipient to determine if
"out.example.com" is a valid outgoing MTA for example.org. My goal in
this area is to provide a way to make that determination. Stopping
spam, and reputation services, are interesting, but not something I
find to be practical.
i.e. If MAIL FROM authentication records in DNS stop other people
using my name in vain, that's great. I don't care how other people
restrict (or not) the user of their names: that's up to them. For me,
the issue isn't that authentication will stop other people from
spamming me, it's that it will stop other people from claiming that
I'm spamming them.
But neither SPF nor Sender-ID properly identify the MTA.
For some meaning of the word "properly".
Blocking by the mailbox domain may unfairly block innocent victims
of spoofing, but blocking by the MTA EHLO name will safely block the
MTA with the problem.
You then label everyone at the MTA with a broad brush. Sure, the
MTA is ultimately responsible, but if a recipient can use "MAIL FROM"
to tell that a subset of domains via that MTA are "bad", then it would
be imprudent to label *all* domains at that MTA "bad", just because
you authenticated the MTA via EHLO.
Alan DeKok.