[Top] [All Lists]

Re: Mail Data termination

2011-08-20 09:14:28

John C Klensin wrote:

--On Wednesday, August 17, 2011 17:23 +0000 John Levine
<johnl(_at_)taugh(_dot_)com> wrote:

How does the 'discard' action of RFC5617 (DKIM ADSP) fit into
this  picture? Although RFC5321 and RFC5617 operate on
different protocol  layers, in real life the two are often
intertwined by way of MTA milter  callouts during SMTP DATA
For people who choose to implement ADSP (and you know how I
feel about that), I think it's fair to say that it operates at
a layer above SMTP.

Please also note that 5321 says, very explicitly, that a server
may make all sorts of exceptions to a close reading of the rules
to protect itself from attacks.  I'm not going to quote the
section number again -- the authors of several entries in this
long thread need to go back and read that spec again.  If one
views DKIM with ADSP as a necessary attack-prevention mechanism,
provisions of 5321 that seem contradictory are irrelevant.

I'm not sure which way to read your comment, but I don't see a contradiction.

The essential and common, general, NEW design consideration is the continued evolution of advanced mail integration by performing payload analysis in the DATA state in order to do three things;

- Accelerate what would be the same result if it was accepted always and
     processed after the session was added,

   - Eliminate/reduce the problematic Accept/Bounce Exploits, and

   - the "Throw Away" ideas does not conform via well with the 1986
     US ECPA provisions for "User Expectations" with the long
tradition of online and also SMTP mandating a rejection notification
     adheres too.

From a product liability standpoint, to avoid censorship claims, the direction to provide the rejection notice during the smtp session solve two major issues - keep with User Expectation notification guidelines and reduce the serious Accept/Bounce Mail attacks.

I have always held the position that this debate and many others, centered around two basic modes of operations people use and SMTP needs to work under - older original styles of always accepting the payload and newer styles of tighter integration with the backend and dynamic processing of the payload. With operators mindset with older styles, a ADSP would be a NON-SMTP concept. But the PAYLOAD is part of SMTP so i don't agree with the concept.


Hector Santos

<Prev in Thread] Current Thread [Next in Thread>