mail-vet-discuss
[Top] [All Lists]

Re: [mail-vet-discuss] Seeking consensus on MUA use

2008-12-15 11:35:40
On Sun, Dec 14, 2008 at 10:39:08PM -0800, Douglas Otis wrote:

I always considered the purpose of this header is to communicate  
authentication results.  I don't think an IP address is an  
authentication result.  I'd think it was out of scope.


Sender-ID or SPF do not authenticate a domain!  These schemes indicate  
whether a domain within a message _authorized_ the IP address of the  
SMTP client.

The SPFv1 record has indeed coopted by Sender-ID to mean things the
publisher of the SPF record may not have intended.

There are serious unresolved issues with Sender-ID and SPF.

The solution IMHO is to not use SPF or Sender-ID. I don't see where this
draft forces one to use these mechanisms.

There is no reason not to include the IP address of the SMTP client  
within the SPF or Sender-ID results.  Stop describing the  
authorization process as "Authentication".  Again, for either SPF or  
Sender-ID, the only weakly authenticated element would be the IP  
address of the SMTP client.  The only element that should be in scope  
would be the IP address of the SMTP client.

The IP address is "authenticated", by TCP (ability to complete 3-way
handshake) not SPF. What SPF/SID do poorly is verify that the domain
(MAIL.From or PRA) has authorized that IP to send on its behalf. The
A-R header records the authorizing domain so that its reputation can be
applied to appropriate messages from the IP (not the converse). The
goal is to enable this.

If downstream filters or MUAs want to use IP reputation and not domain
reputation (whether the domain is authenticated, or verified to have
authorized, ...) they need the IP address regardless of any domain
authentication protocols, and don't really need an A-R header at all.

The question of how to pass expanded envelope data to downstream MTAs
and filters is not currently addressed by the draft.

Postfix uses XFORWARD <http://www.postfix.org/XFORWARD_README.html>.
There are some advantages to using extended commands, and some to
using headers, and there is more interesting informationt to pass
than just the IP address.

Should A-R always pass the client IP (in which case this is not
an SPF/SID specific issue)? Maybe, provided A-R is the right
mechanism to carry this additional payload.

-- 
        Viktor.
_______________________________________________
NOTE WELL: This list operates according to 
http://mipassoc.org/dkim/ietf-list-rules.html 

<Prev in Thread] Current Thread [Next in Thread>