From: Tony Finch
Sent: Monday, June 14, 2004 10:32 AM
On Thu, 3 Jun 2004, Seth Goodman wrote:
To address problem #1, I propose that we _require_ the MAIL
FROM: address to
appear in either From: or Sender: and enforce that by rejecting messages
where this is not the case. If Sender: exists, MAIL FROM: would have to
match Sender:. I still haven't seen any practical examples of why MAIL
FROM: _needs_ to be distinct from From:/Sender: that can't be
easily handled
some other way.
This proposal causes trouble for SES. A strict SES implementation
distinguishes between destination addresses and return addresses. This is
important for early rejection of messages that are spoofed, and for
callout verification. Return addresses appear in the MAIL FROM of normal
messages (and therefore the Return-Path: after final delivery), or the
RCPT TO of a bounce. Destination addresses appear in RCPT TO commands for
normal messages, and in all the message headers apart from Return-Path:.
It's slightly counter-intuitive that the Sender: header contains a
destination address. This is because it contains the same kind of address
as a From: header, and a From: address is often used when constructing a
reply.
When you say destination addresses, I think of RCPT TO: addresses and the
same addresses in the To: header. These have nothing to do with the
return-path address, From: or Sender:. I certainly didn't suggest that the
destination address appear in Sender:. BTW, when I wrote this, I fully
understood that the MAIL FROM: address was an SES-signed address, while
From: and Sender: are both plain unsigned addresses, but was too lazy to
state this outright. If that was the source of the confusion, my apologies.
In an SES system, MAIL FROM: is a signed version of the address to receive
bounces. For a message with a single sender, the unsigned version of this
address normally appears in the From: header. If there are more than one
From: address or someone is sending mail on behalf of someone else, the
unsigned version of the MAIL FROM: address normally appears in Sender: and
one or more unverifiable addresses appears in From:. Mailing lists also
operate in the latter mode, though not strictly. This is the case for the
great majority of legitimate email. Forgeries, on the other hand, almost
never have correspondence between the return-path and From: or Sender:.
Though the RFC's vaguely imply that MAIL FROM: should be the same as either
From: or Sender:, they certainly don't require it. What I was asking was
what would break if we did make that a requirement? The motivation for this
is the ability to validate the From: or Sender: header once the return-path
is verified. I was not suggesting or contemplating any restriction on
Reply-To:, just From: or Sender:.
One problem is that mailing lists would have to change their practice
slightly. They often use a slightly different bounce address than they put
in Sender:. As they are mass mailers, it would not be difficult for them to
use the same address in both places, i.e.
owner-spf-discuss(_at_)v2(_dot_)listbox(_dot_)com,
albeit with the appropriate signature in MAIL FROM:, and redirect any
bounces to wherever they choose.
Outside of this, I can't think of any cases that _need_ to use a different
bounce address and return address (From:). Can you?
--
Seth Goodman