spf-discuss
[Top] [All Lists]

Re: A couple of thoughts

2004-02-15 10:42:34
----- Original Message ----- 
From: "Brian Candler" <B(_dot_)Candler(_at_)pobox(_dot_)com>
To: <spf-discuss(_at_)v2(_dot_)listbox(_dot_)com>
Sent: Friday, February 13, 2004 4:34 PM
Subject: [spf-discuss] A couple of thoughts

SRS-signing outgoing messages is easily implemented an ISP. And as soon
as they have done that, they can configure their inbound MTA to reject
incoming bounces which are not to SRS-signed addresses. Let's say
example.comis a vanity domain handled by example.net as the ISP:

  outgoing (after going through smarthost):

    MAIL 
FROM:<srs0+hash+ts+example(_dot_)com+b(_dot_)candler(_at_)example(_dot_)net>
    RCPT TO:<someone(_at_)somewhere(_dot_)com>

  bounce:

    MAIL FROM:<>
    RCPT 
TO:<srs0+hash+ts+example(_dot_)com+b(_dot_)candler(_at_)example(_dot_)net>
    250 valid bounce

    MAIL FROM:<>
    RCPT TO:<b(_dot_)candler(_at_)example(_dot_)com>
    550 Bounce message is not cryptographically signed

From now on, we know that all mail received *from* 
anyone(_at_)example(_dot_)com will
be signed. So at receiving mail systems, a simple 'callback' SMTP probe
can be used to validate the address, the same as many spam filters use
already. If the callback looks like a bounce, it will be rejected if
unsigned.

A 'callback' SMTP probe is already widely deployed by, for instance,
"milter-sender", which uses real-time sender address verification for
regular addresses. To quote their manual: "To be in good standing, the MX
server of the sender must be reachable and willing to accept email for the
sender from the Delivery Status Notification (DSN) address, which is the
null address <> used for error reporting." (not just a matter of being "in
good standing", actually, but simply a requirement). The procedure is
simple: they issue an "RCPT TO: <address>" to see whether the recipient is
valid. The "omr-m*.mx.aol.com" mailers at AOL, for one, use this too. This:

    MAIL FROM:<>
    RCPT TO:<b(_dot_)candler(_at_)example(_dot_)com>
    550 Bounce message is not cryptographically signed

Can therefore not be used in its blanket form (at least not without breaking
the world). As wayne pointed out, the message will need to be examined,
carefully, to ensure that we are indeed dealing with a real bounce message,
and not just another, also legit, SMTP probe.

The practical solution could be simple. Since a regular SMTP 'callback'
probe, such as "milter-sender" does NOT enter the DATA phase (and why would
it?), your unsigned bounce-message probe could be delayed until the DATA
phase. Then the rule is simple: "If we had an empty envelope-from, <>, then
we bounce when the single (!) recipient is not cryptographically signed."

This solution does not require a tricky scrutiny of the message DATA, and is
solely based on the "logic" of how regular SMTP probes operate. To
recapitulate:

1): empty envelope-from + DATA phase = message for which we require a
cryptographically signed SRS recipient;

2): empty envelope-from - DATA phase = regular SMTP probe; no
cryptographically signed SRS recipient required.

Regards,

- Mark

        System Administrator Asarian-host.org

---
"If you were supposed to understand it,
we wouldn't call it code." - FedEx