At 1:39am -0400 17/4/2005, John P Baker wrote:
However, it seems to me that when a message first enters the mail system
(i.e., an ISP SMTP server receives a message from a client of that ISP),
validation of the return address could be required. Specifically, the
"From" mailbox specified in the message header could, pursuant to an SMTP
extension, be validated against a list of mailboxes allocated by the ISP to
the client with whom the SMTP server is in session.
There may already be something in the RFCs that I have yet to find.
I am just beginning my research into this.
If you haven't yet, have a look at RFC 2554 (SMTP Service Extension
for Authentication) and RFC 2476 (Message Submission).
An ISP or organization wanting to enforce a policy like you describe
would force all clients to use SMTP AUTH, by doing something like
blocking client IPs from using port 25 and requiring SMTP AUTH on a
Message Submission port. Then credentials supplied via SMTP AUTH can
then be used to decide what MAIL FROM, From, etc. addresses that
client is allowed to use.
SMTP AUTH and the ability to change the port used for SMTP are
already widely supported in clients, so it is basically a case of
supporting those and implementing suitable policy at the server side.