John C Klensin wrote:
--On Wednesday, August 17, 2011 17:23 +0000 John Levine
<johnl(_at_)taugh(_dot_)com> wrote:
How does the 'discard' action of RFC5617 (DKIM ADSP) fit into
this picture? Although RFC5321 and RFC5617 operate on
different protocol layers, in real life the two are often
intertwined by way of MTA milter callouts during SMTP DATA
phase.
For people who choose to implement ADSP (and you know how I
feel about that), I think it's fair to say that it operates at
a layer above SMTP.
Please also note that 5321 says, very explicitly, that a server
may make all sorts of exceptions to a close reading of the rules
to protect itself from attacks. I'm not going to quote the
section number again -- the authors of several entries in this
long thread need to go back and read that spec again. If one
views DKIM with ADSP as a necessary attack-prevention mechanism,
provisions of 5321 that seem contradictory are irrelevant.
I'm not sure which way to read your comment, but I don't see a
contradiction.
The essential and common, general, NEW design consideration is the
continued evolution of advanced mail integration by performing payload
analysis in the DATA state in order to do three things;
- Accelerate what would be the same result if it was accepted
always and
processed after the session was added,
- Eliminate/reduce the problematic Accept/Bounce Exploits, and
- the "Throw Away" ideas does not conform via well with the 1986
US ECPA provisions for "User Expectations" with the long
tradition of online and also SMTP mandating a rejection
notification
adheres too.
From a product liability standpoint, to avoid censorship claims, the
direction to provide the rejection notice during the smtp session
solve two major issues - keep with User Expectation notification
guidelines and reduce the serious Accept/Bounce Mail attacks.
I have always held the position that this debate and many others,
centered around two basic modes of operations people use and SMTP
needs to work under - older original styles of always accepting the
payload and newer styles of tighter integration with the backend and
dynamic processing of the payload. With operators mindset with older
styles, a ADSP would be a NON-SMTP concept. But the PAYLOAD is part
of SMTP so i don't agree with the concept.
--
Sincerely
Hector Santos
http://www.santronics.com