ietf-smtp
[Top] [All Lists]

Re: OT Brainstorm: Email Validation among different systems

2007-05-02 10:02:11

David F. Skoll wrote:

Ponder the security risks of such an implementation.

Like what?

You see no security risks in allowing some random person to set your
valid recipient list using unauthenticated e-mail?  (X-Note: Password
is pretty weak authentication and easily sniffed.  At the very least,
the e-mail should be PGP-signed and possibly encrypted before being
accepted.)

hmmmm, David, that was a template to create the require email. How it was sign, sent or deliver is really not the point. Maybe it was signed, maybe TLS/AUTH was used. Even then I would personally, and still have more trust in a standard 1 to 1 email transaction, then what you are proposing. Once received, who knows that the other end did. It is private mail. So it has weak X-Note? Maybe it is used to confirm the TLS/AUTH. Who knows? That's there internal issue. Hands down, no question. The method is already in place is more secure than a public database proposal.

Lets see, why not use existing user validation LDAP? RADIUS?

Because DNS is widely-implemented, lightweight, scalable, cacheable
and has built-in facilities for replication.

True. RADIUS is pretty fast. LDAP, RADIUS already exist for user authentication. Even then, you still have to write the protocol, and get everyone to get on board which will take time. And who is the customer? The Secondary MX Service Bureau who more than likely has a system in place?

(NOTE: Devil Advocate here <g>)

>> Correct. That was the goal of the example. The IP input
>> was my address using your address - SPF rejected it
>> as expected.

> No, check the URL in my original e-mail again.  I used my IP address.

What you used was:

   ip   = 209.191.13.82
   cdn  = [209.191.13.82]
   from = dfs(_at_)roaringpenguin(_dot_)com

and SPF reported FAIL which is correct.

The SPF DNS TXT query for roaringpenguin.com is:

      v=spf1 a -all

which says:

Query the A record of the domain roaringpenguin.com, which is:

       206.191.13.82

and test the IP against the connecting IP 209.191.13.82 (simulated input). Since it did not match, the hard fail, -all, resulted in a SPF FAIL.

Change the IP to 206.191.13.82 at the test form or the URL and you will get a correct pass:

20070502 12:28:01 00006e74 cip : 206.191.13.82
20070502 12:28:01 00006e74 cdn : [206.191.13.82]
20070502 12:28:01 00006e74 from : dfs(_at_)roaringpenguin(_dot_)com
....
20070502 12:28:02 00006e74 sapspf : v=spf1 a -all
20070502 12:28:02 00006e74 sapspf : pass (time:0)
20070502 12:28:02 00006e74 finaltest : SPF GlobalResult=-1
                                       CodeResponse=250
20070502 12:28:02 00006e74 result : accept (-1)
20070502 12:28:02 00006e74 wcsap finish (453 msecs)

But I will still love to see your DNS-VRFY I-D proposal! <g>

I've never done an I-D before.  If anyone on the list wants to help
out, please e-mail me off-list.

Here is what most everyone uses with the spiffy XML2RFC outline/editor.

    http://xml.resource.org/

With this tool, you would be be create the TXT, HTML and XML.

--
HLS

<Prev in Thread] Current Thread [Next in Thread>