On Fri, 17 Sep 2004, Alan DeKok wrote:
Your system describes a method for a shared MTA to guarantee that
any message it forwards is truly from the claimed originator. That's
nice, but not useful to anyone else in the network.
My setup's a bit odd in that the MX, MSA, and general-purpose relay are
different functions of the same system. This means care is required when
thinking about the various functions.
Although you can set up BATV on an outgoing relay in the manner that you
rightly criticise, if you set it up on an authenticated MSA and the
corresponding MDA you do get the guarantees that you want.
Any method which permits the recipient to verify the "MAIL FROM"
must involve the originator.
Agreed.
The shared MTA can claim that it is forwarding the message, but because
it is not the originator, it cannot authenticate the message as truly
coming from the originator.
In my case I can because the shared MTA is also the MSA and the final
delivery system for the domain in question. It is therefore authoritative
regarding which addresses are valid at that domain. If a message is
submitted other than via the MSA, or without a username and password
corresponding to the bounce address, it'll be rejected.
That information is not available to others in the network, so they
cannot perform the same authentication to satisfy themselves as to the
true origin of the message.
At the moment you can use callback verification to acheive this. We hope
to have more lightweight alternatives in the future. Note that if
intermediate MTA relays do CBV then the MSA/MDA for the domain don't have
to be directly accessible to the Internet: CBV is transitive.
And they cannot take the word of the shared MTA, as it may be
compromised.
At that point you have to rely on reputation systems. Authentication is
not the whole of the solution. A domain with poor authentication is a
spammer-friendly domain.
Tony.
--
f.a.n.finch <dot(_at_)dotat(_dot_)at> http://dotat.at/
COLWYN BAY TO THE MULL OF GALLOWAY INCLUDING THE ISLE OF MAN: SOUTH OR
SOUTHWEST 4 OR 5, INCREASING 6 TO GALE 8 FOR A TIME, VEERING WEST 5 OR 6
LATER. RAIN THEN SHOWERS. MODERATE OR GOOD, PERHAPS POOR FOR A TIME. ROUGH.