On November 23, 2004 at 10:54 PM "Alex van den Bogaerdt" replied:
On Tue, Nov 23, 2004 at 05:19:51PM +0000, David Woodhouse wrote:
On Tue, 2004-11-23 at 17:43 +0100, Alex van den Bogaerdt wrote:
The world is changing. You need to change with it.
Many reasons have been pointed out why the world doesn't _need_ to
change in this particular way. And there's no evidence that the world
_is_ actually deploying SRS on any kind of relevant scale either.
Many times it has been pointed out that forwarding is _your_ problem
not mine so there is no need for me to deploy srs.
Don't start again on the forward_is_not_broken_until_spf subject. We
know you don't agree.
If you forward email to $somewhere, I do not wish to receive bounces
from $somewhere. I may not be able to communicate with $somewhere,
I have to business with $somewhere. And I am not going to change my
mind just because you forward your mail.
<snip />
I support Alex et. al.. I've been drafting an essay on this topic over the last
few days, but have now had enough time to make it shorter by emulating Frank's
style.
All below is IMHO.
The style of forwarding (original MAIL-FROM on hops 2, 3, ..) is contrary to the
SMTP architecture / contract.
Each hop constitutes a different SMTP message; a different instance of the SMTP
'contract'.
It is an abuse of SMTP to send a bounce containing details of message n (n >1)
back to the originator of message 1.
It also involves 'envelope forgery'. The 2821-sender of message 1 _did not_
authorise the sending of messages 2, 3 etc., knows nothing of the addresses
involved, and has no responsibility / accountability for them.
Forwarding in this way is bad, always has been and always will be.
The fact that it has worked in the past is no reason to keep it or pander to it.
SPF exposes this 'envelope forgery'.
CSV ignores the forgery; it is addressing a different problem. It is no
substitute for SPF.
SRS is an attempt to sustain this SMTP-abuse in the presence of SPF.
SRS is an abomination and should not be promoted.
Although SES can also be used to sustain this abuse, it has its own, distinct
contribution to make and SFP+SES looks valuable.
SES should not be promoted as a 'solution to the forwarding problem'.
Forwarders should handle bounces at the start-point of each hop. They should
send a 'normal' message back to the 2822 Sender to notify non-delivery.
[Something SRS-like could be used to do this: Encode the 2822-Sender address
into the forwarder's own Mail-From , rather then the original 2821-MailFrom
address. The encoding used should be entirely private to the forwarder. No
published protocol is needed.].
Forwarders should ignore the presence of SES - it is nothing to do with them. It
does not absolve them from the need to supply their own Mail-From address.
The new SPF Council should publish a White Paper warning the Forwarding industry
of the need to change in the presence of SPF and other forgery-detection
technologies (and actively send it to known forwarders).
SPF should not otherwise concern itself with the problems of forwarding.
Bye, Chris Haynes