spf-discuss
[Top] [All Lists]

RE: Ignoring rejected mail?

2004-12-08 14:31:35
On Wed, 8 Dec 2004, Mark wrote:

... Part of the message digest is included in the
MAIL FROM signature in place of the message id,
so most forgeries are detected before SMTP DATA.

How can you check your digest against anything before the DATA is in?

If that passes, the message body is received,
and the full digest can be checked.

Do you mean to get the message header first? But that is also part of
DATA; and, unfortunately, there is no separate HEADER and BODY command
yet. So once you pull in the DATA, you need to swallow it whole. I would
be interested to hear how you do this 'shortcut' signature check.

The MAIL FROM signature is unique for every message.  The recipient can verify
the MAIL FROM in the usual way, completely ignoring any message digest.
However, if the MAIL FROM is sent to a SES validation server via the new UDP
protocol, the server will respond with a message digest for the message body if
the MAIL FROM is otherwise valid.  The recipient can then compare the SES
servers message digest with what it computes - or just ignore it.
There are various ways to enable an SES server to encode the key needed to
retreive the stored message digest in the MAIL FROM - all hotly debated
on ses-discuss.  However, it is transparent to the mail recipient,
and it wouldn't matter functionally if every sender did it differently.

The point is, the MAIL FROM can be validated "as is", similarly to self-signed
SRS.  If the new SES protocol is supported by both sender and recipient, a
successful response from the UDP validation server also gives you a digest to
validate the message body and selected 2822 headers.  The real purpose of the
latter is to stop replay attacks of the 2821 signature without limiting
successful validations.  However, you get 2822 and message body authentication
for free when you do it that way.

-- 
              Stuart D. Gathman <stuart(_at_)bmsi(_dot_)com>
    Business Management Systems Inc.  Phone: 703 591-0911 Fax: 703 591-6154
"Confutatis maledictis, flamis acribus addictis" - background song for
a Microsoft sponsored "Where do you want to go from here?" commercial.


<Prev in Thread] Current Thread [Next in Thread>