Meng Weng Wong wrote:
On Tue, Jan 13, 2004 at 06:44:09PM -0800, Ask Bj?rn Hansen wrote:
|
| >I'm not sure that you can do this. In particular, E cannot know
| >whether the previous entry had the correct hash or not. I think that
| >the only solution is to use a database to perform the mapping. I'd be
| >inclined to HMAC the sender using a secret key. Then just send the
| >message on with bounce-<hash> as the sender. You need to store the
| >mapping from hash to sender in a database, along with some timeouts.
| >I'm not entirely certain why we should use an HMAC rather than a hash,
| >but it seems to provide a little extra security for very little extra
| >cost.
|
| I am considering how to implement SRS in my forwarder as well. The
| disadvantage of not including the original sender is that you make it
| impossible for the recipient to usefully filter on the envelope sender.
|
Personally I think the 64 char limit is ridiculously short. Who
actually uses that limit?
I think its just right. If you remove the limit on local-part (64) and
domain (255) length then essentially you are then limited to the SMTP
command-line length (512 - command length and CRLF), which would be
acceptable too IF you can get the RFCs updated.
Increasing the limits or clarifying them in the RFCs would useful.
Consider the "path" max. length:
The maximum total length of a reverse-path or forward-path
is 256 characters (including the punctuation and element
separators).
This is confusing since the max. lengths don't add up:
<path> != <local-part @ domain>
Regardless, of this confusion I see, no matter what limits you place on
the local-part, domain, or path, I can always construct an email address
that uses the maximum lengths allowed and then attempt to subscribe to a
service using SRS.
I find limits useful:
a) for coding reasons;
b) for RFC conformance checks, I can reject suspiciously long addresses;
c) without the limits, such as the command line or email address, I
could see a type of DoS attack where an SMTP server sits there reading
an email address without end.
--
Anthony C Howe +33 6 11 89 73 78
http://www.snert.com/ ICQ: 7116561 AIM: Sir Wumpus
"...simplicity is a goal of good design,
it is never the starting point." - Dan Geer
-------
Sender Permitted From: http://spf.pobox.com/
Archives at http://archives.listbox.com/spf-discuss/current/
Latest draft at http://spf.pobox.com/draft-mengwong-spf-02.9.4.txt
To unsubscribe, change your address, or temporarily deactivate your subscription,
please go to http://v2.listbox.com/member/?listname(_at_)©#«Mo\¯HÝÜîU;±¤Ö¤Íµø?¡