On Thu, 3 Jun 2004, Seth Goodman wrote:
To address problem #1, I propose that we _require_ the MAIL FROM: address to
appear in either From: or Sender: and enforce that by rejecting messages
where this is not the case. If Sender: exists, MAIL FROM: would have to
match Sender:. I still haven't seen any practical examples of why MAIL
FROM: _needs_ to be distinct from From:/Sender: that can't be easily handled
some other way.
This proposal causes trouble for SES. A strict SES implementation
distinguishes between destination addresses and return addresses. This is
important for early rejection of messages that are spoofed, and for
callout verification. Return addresses appear in the MAIL FROM of normal
messages (and therefore the Return-Path: after final delivery), or the
RCPT TO of a bounce. Destination addresses appear in RCPT TO commands for
normal messages, and in all the message headers apart from Return-Path:.
It's slightly counter-intuitive that the Sender: header contains a
destination address. This is because it contains the same kind of address
as a From: header, and a From: address is often used when constructing a
reply.
--
Tony Finch <dot(_at_)dotat(_dot_)at> http://dotat.at/