Le jeudi 22 Juillet 2004 16:23, Daniel Taylor a écrit :
[...] Times change, and now the problems
of the distributed system outweigh the benefits and we need to go
to a more controlled system like the web.
As another folk said, let's before that try to get email servers admins to
first implement and use the simple methods that just are "a well configured
server and network".
The "legitimate" SMTP servers that don't even have any reverse DNS are
countless. Many (professional) servers from many companies currently HELO
with a name that isn't even an FQDN, or doesn't resolve to anything, or
resolves to an IP address that differs from their actual IP address.
Many automated email (which one may need to receive) come with a Return-Path
pointing to a non-existing address, and sometimes even to an undefined
subdomain or host.
My receiving MTA rejects all email that comes from such ill-configured
servers, but I have an ever-growing "whitelist" of "accept mail from this
broken server or sender", because there are mails from such servers that I,
or any other user from my domain _need_ to get.
And even though I spent hours writing to postmasters of these domains, they
simply don't give a shit and won't go and fix it -- postmaster's mail for
them must be forwarded to /dev/null, when it doesn't bounce with "Unknown
recipient". Yes, rfc-ignorant.org is here for that.
In a corporate environment, go tell a non-IT manager that you are and will be
rejecting the email about the big contract from big-customer.com just because
of "some obscure technical misconfiguration issue somewhere" that the manager
doesn't care or want to hear about. He just wants to get the damned mail from
big-customer.com no matter big-customer.com's servers can be ill-configured.
And you will actually be fired if you keep on filtering the big contract
email for Mr Big-Manager...
So before SPF or any other authentication scheme gets _very_ widely used, with
accurate published records for every domain, and correctly configured MTAs, I
believe we still have a looooong road.
But you _should_ be able to have an expectation of authenticity
under certain circumstances.
Then what you need is digital signature, S/MIME, PGP or whatever. These
solutions have been around for a decade, implemented in the most widely used
MUAs, and what percentage of users do actually use them ?
--
Michel Bouissou <michel(_at_)bouissou(_dot_)net> OpenPGP ID 0xDDE8AC6E