spf-discuss
[Top] [All Lists]

Re: What about reverse source path?

2004-05-28 08:06:18
On Thu, 27 May 2004, Jeffrey Goldberg wrote:

On May 27, 2004, at 2:17 PM, Stuart D. Gathman wrote:

I have not yet seen a good answer to why we can't resurrect the reverse
source path.

I agree with you. I raised this question recently.  One answer I got is 
here:

  
http://archives.listbox.com/spf-discuss(_at_)v2(_dot_)listbox(_dot_)com/200405/0349.html

OK, recording the route taken in MAIL FROM is something we can do
today in compliance with RFC 2821 (albeit deprecated).  No software
changes in receivers or senders are required.  No ESMTP extensions 
are required (RFROM).  What's not to like?

O: Here is one potential problem:  suppose a message goes through 3
   forwarders.  One forwarder prepends to the reverse source path in
   MAIL FROM to support SPF.  The other 2 don't.  Does a partial
   reverse path break things?  

A: If the last forwarder does not prepend the source path, then the receiver
   cannot do SPF.  Otherwise, I think the receiver is only interested in the
   last hop for SPF purposes.  Since RFC2821 forbids using the source path for
   delivery, it should not be a problem.  If a really old mailer tries to use
   the source path for delivery, as soon as the message gets to an RFC2821
   system, it will ignore the source path and go directly to the final
   recipient.

O: Here is another objection: the source path is redundant with the
   Received headers for diagnosing problems.  For SPF purposes, only the last
   hop is needed - the rest of the source path is redundant.  RFROM
   provides only the relevant info without cluttering up MAIL FROM.

A: A receiver may wish to verify more than just the last hop.  RFROM
   is not available yet, reverse source path is.  Since a partial
   reverse source path must be allowed as discussed above, a forwarder
   could simply replace the reverse path instead of prepending.

If SPF receivers looked at the reverse path, then forwarders would have
a choice of implementing reverse path or implementing SRS (or doing nothing and
letting the receiver whitelist).  An SPF receiver with software that
does not support reverse path would whitelist a reverse path forwarder
as they must whitelist a non-SRS forwarder today.

-- 
              Stuart D. Gathman <stuart(_at_)bmsi(_dot_)com>
    Business Management Systems Inc.  Phone: 703 591-0911 Fax: 703 591-6154
"Confutatis maledictis, flamis acribus addictis" - background song for
a Microsoft sponsored "Where do you want to go from here?" commercial.


<Prev in Thread] Current Thread [Next in Thread>