On Tue, 2004-08-17 at 11:20 -0400, Meng Weng Wong wrote:
On Tue, Aug 17, 2004 at 03:44:00PM +0200, Roger Moser wrote:
|
| .. or the sender implements SES (signed envelope sender).
|
Folks interested in implementing SES (which has been
reinvented as BATV by some people in the MARID group) should
review
http://www-uxsup.csx.cam.ac.uk/~fanf2/hermes/doc/antiforgery/cam.txt
http://asarian-host.net/srs/sendmailsrs.htm
It would be interesting to hear reports of how well it works
in the field, and what the costs and benefits are for a
large deploying site.
I've been doing it for a few users, myself included, since some time in
February. I've posted the URL for my Exim 4 implementation already on
this list.
The only problem I've had is with ezmlm mailing lists, which look at the
SMTP reverse-path in subscribe requests and when filtering posts from
non-subscribers. I need to set up a system-wide list of ezmlm list
addresses, and potentially other recipients which have the same problem,
and use a constant reverse-path for those addresses -- probably dropping
the timestamp and just using a per-recipient key for those recipients.
Since this hasn't actually been that much of a problem in practice, I
haven't bothered yet -- but I need to do it soon because I want to stop
it being opt-in and impose it on all users.
It instantly stopped the participating users from receiving bounces to
mail they didn't send, and allowed any third party doing CBV to reject
mail with a participating user's address faked as the source.
On the whole, I think it's been a resounding success. We could do with
ezmlm changing its behaviour, but we can work around it for now.
--
dwmw2