Dave Crocker wrote:
The BATV introduction is misleading. It doesn't mention anything
about the reasoning behind BATV that you state,
#2 and #3, above, are two types of bounce messages that are invalid,
because they result from unauthorized creation of the bounce address
(MailFrom). The Introduction says:
"existing Internet mail permits unauthorized use of addresses in
the MailFrom command, which results in having notices sent to
unwitting and unwilling recipients."
which seems to state exactly that condition, and:
"Bounce Address Tag Validation (BATV) defines a framework for
mechanisms that validate the value in this command."
says that BATV seeks to remedy that problem.
How should the Introduction be different?
Also, this bit really confused me
Section 4.2.2
"The checking of private signatures is only performed within the domain
specified in the MailFrom command. The first component that processes
the MailFrom's local-part must be able to interpret the meta-syntax. It
MAY also perform validation."
This seems to be saying that only mail servers within the domain
specified in the MailFrom command should check signatures. So, that
seems to mean that ONLY the MTAs *sending* the message originally should
check the domain, as those are the MTAs in the domain specified in the
MailFrom. This really confused me. That's why I thought private key
taggings was pointless - what's the point of one of the sender's MTAs
checking the signature as the message was being sent?
Now (I think) I understand what BATV's supposed to do, I think I know
what you were trying to say, but from a 'newbie' POV it just didn't seem
to make sense.
For a bounce message, the MailFrom command specifies a null return path,
so there is NO domain specified in the MailFrom command when the
checking of private signatures is performed.
I think what you meant to say was that the checking of private
signatures is only performed within the domain specified in the *RcptTo*
command of the incoming bounce message - i.e. the domain where the
original message should have come from.
--
Paul Smith
VPOP3 - POP3/SMTP/IMAP4/Webmail Email server for Windows