--Scott Kitterman <spf2(_at_)kitterman(_dot_)com> wrote:
I think it's a different type of issue because there is an ongoing
contractual relationship between the MTA provider and the customer being
given SMTP AUTH access. ...
Yes... In fact they don't even have to use SMTP AUTH if they can verify
users some other way, like checking who the IP was leased to, or
pop-before-smtp or something, though I think SMTP AUTH is the most popular.
As long as they can I.D. me somehow.
I was thinking more along the lines of business rules, e.g....
...
2. MTA customer is authorized by the domain owner based on e-mail from
the address listed in the domain registration and the e-mail is
authenticated via SPF, S/MIME or PGP signature, etc.
Yes. I had previously suggested (though I'm sure it's not a new idea) that
the user can "register" any other addresses (or entire domains) by
receiving a challenge message and clicking the link, or replying (similar
to joining a mailing list.) A challenge message to "postmaster" might
serve to authorize the whole domain.
Of course as you said, isp.net's users can use their @isp.net addresses
with no trouble, or if isp.net manages their domain for them they can use
that domain.
--
Greg Connor <gconnor(_at_)nekodojo(_dot_)org>