spf-discuss
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: Sender's Identity Declaration

2005-03-31 03:48:20
from [Chris Haynes] [Permanent Link] 
"David MacQuigg" suggested


At 11:17 PM 3/30/2005 -0500, Scott Kitterman wrote:


CSV only deals with HELO/EHLO.  Since so many mail servers have a bogus
HELO/EHLO these days it's near term utility seems questionable.


Since the HELO domain is not used for much these days, that seems like the
ideal place for a mail server to declare its identity.  Any server that
won't do at least that, is unlikely to participate in any authentication
protocol.

We need some way for the server to *declare* its identity in a way that
will override whatever method is used by the receiver.  Maybe EHLO <domain>
*, with the * meaning "This is my real identity, not some nonsense you can
ignore in favor of some other name you find in the envelope or
headers."  An explicit declaration is important.  As any border guard will
tell you, we need to separate the dishonest from the merely incompetent.




Bad idea. Changing the format of existing dialogs in ways which could break
unsuspecting parties is _never_ good.

There _is_ an mechanism in SMTP by which the receiver can declare the protocol
extensions it supports. If the receiver sees one it understands it then knows
it's OK to send that protocol element - perhaps starting a dialog.  I proposed
the use of this mechanism during the active days of MXCOMP to handle a very
similar situation.

_But_, before we get into details of that, think through what you would do with
the information:

1) What does the sender put here?  The admin-domain of the organization which
owns the host (which is what many people do), or the host-name of the machine
itself, or the domain of the Mail-From of the message it is about to send?

2) If the domain of the Mail-From: what happens if severeal different messages
are to be sent (with different Mail-Froms) during this one SMTP dialog?

3) If it puts the root-domain of its owning organization , and the Mail-From
domain of the message being sent is different, what does the receiver make of
that?

4) Whatever it says, how do you know it is not lying? How many DNS queries will
it take you to find out?

It might also be worth your while to understand what CSV is attempting to do.

Chris Haynes
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Sender's Identity Declaration, David MacQuigg
Next by Date:  Re: FUD on Forwarding Problems and DNS Abuse, Frank Ellermann
Previous by Thread:  Sender's Identity Declaration, David MacQuigg
Next by Thread:  spf cookbook, Andy Bakun
Indexes:  [Date] [Thread] [Top] [All Lists]