Date: 2005-06-07 16:37
From: Dave Crocker <dhc2(_at_)dcrocker(_dot_)net>
1) What the implications of treating out-of-network mail injection as
submission are.
Unfortunately, you are asking an entirely open-ended question and I do not
know
what "implications" you are looking for.
One disturbing implication is that message submission permits modification
of a message without the knowledge or consent of the connecting client.
Of course a relay operator can whisper "this is a gateway" and do the same
sort of modifications with the same lack of client knowledge or consent.
I DO know what happens when there is unauthenticated relaying that originates
from outside one's network. What happens is that you get blacklisted. It
is,
after all, what the term "open relay" refers to and what is so popular with
mass
spammers.
Dave, I think you know the difference, but since this is a general list, an
"open relay" is one that forwards messages which neither originate from nor
are destined for its administrative domain. Simply authenticating relaying
("yes, it's from outside and destined for outside") doesn't close an open
relay. [and I have carefully avoided defining "originate from" or
"administrative domain"]
In particular, what would be the difference
between treating this as submission and treating it as relaying
with a requirement for authentication/authorization?
The major difference is accountability. When a message is treated as a
submission, then the submission agent (MSA) is able to take a reasonable
degree
of responsibility for the (new) message. For simple relaying, such
accountability is essentially impossible.
There is really only a "new" message it the content is substantially
modified. Of course both MSAs and MTAs (acting as gateways) are
permitted to modify content, but neither is required to do so.
Simply put, the open Internet's email infrastructure is under attack. The
postal mail global infrastructure, and all of the large-scale services that
do
global transfers, are subject to a high degree of accountability for their
activities and they have a significant degree of control they impose at their
boundaries. By contrast, Internet mail is entirely open, with no trusted
core.
I (hypothetically) write "Dave Crocker" in the return address space on
an envelope, address it, and pop it into a mailbox. Exactly how is there
either "a high degree of accountability" or "a significant degree of control"
on the part of the post office?
The (unfortunately predictable) development of abuses of this service are
requiring development of practises that tighten things up. The challenge is
to
do this in a way that does not create some sort of centralized control.
Or a multitude of "railroad barons" each with incompatible standards and
refusing to cooperate with others (in which case centralized control would
be preferable and desirable in the community interest).
_______________________________________________
Ietf mailing list
Ietf(_at_)ietf(_dot_)org
https://www1.ietf.org/mailman/listinfo/ietf