Hi !!
you could use ses to sign the mailfrom without any need to
distribute keys, in fact, i cannot see anywhere on ses specs that
keys have to be available to others than the one who has signed
the mailfrom.
Uh, that's the point. Keys have to be available to the one who has signed
the mailfrom, but not others. You have to make sure that everyone who
needs to use SES has a key, including the examples I gave.
well, mailfrom is signed at the mta, not at the mua. If you want
to run your own mta just for your own email address then you could
either not use ses, use ses with your own key, use your domain's
mta to relay (preferred) or run your own ses validation service.
this is also possible with ses, there are no keys and policy is
published at spf records or inside the ses signature, so you have
the same flexibility.
No you don't. You have to distribute keys to IP address authorized by
your SPF record, where as with SPF you just have to authorize IP
addresses.
no, there is no need to distribute keys, you could sign your mailfrom
requiring spf validation, publish a spf record like this:
v=spf1 a mx ses=udp:a:%{l}.{%d} all (just an example)
have wayne.midwestcs.com resolve to one host at your control and
run there your udp ses validation service. That way you have total
control over your key without any need of transferring it anywhere.
that's mainly because you don't really know how ses works. I really
see a big difference about the work need between both systems.
Ok, I've read the SES specs. I though I knew how it worked. Nothing
you have said indicates that I don't.
I hope now you can see that is possible to run ses without having to
distribute keys.
I didn't say that there could only be one SES key, just that the ESP
had to have *a* valid key. There still has to be communication between
the ESP and the MTA that deals with the bounces/callbacks/DNS
validation.
it could use it's user ses validation service to check the signatures
Yes, the things you suggest can make the key distribution problem
easier, but they also require changes.
here the main problem seems to come from users that want to do direct
smtp delivery instead of relaying through their domain mta server. There
could be some reasons why an advanced users could need this, but really
no reason why a low level user need to do that. SMTP auth is here to
solve those problems and other common problems (dsl or dialup zones
being blacklisted, servers that check rdns, etc ...)
--
Best regards ...
It's a fine line between fishing & standing still
----------------------------------------------------------------
David Saez Padros http://www.ols.es
On-Line Services 2000 S.L. e-mail david(_at_)ols(_dot_)es
Pintor Vayreda 1 telf +34 902 50 29 75
08184 Palau-Solita i Plegamans movil +34 670 35 27 53
----------------------------------------------------------------