spf-discuss
[Top] [All Lists]

Re: [spf-discuss] Re: RFC 4409

2006-09-14 22:17:23
On Thursday 14 September 2006 17:31, Frank Ellermann wrote:
Scott Kitterman wrote:

If the MUA didn't address the message correctly, give it back
to the MUA/author to fix.  Don't guess.

No guessing, 8.1 talks about a _known_ identity, otherwise it's

not applicable.  The actual text starting with the 8 intro is:
| Sites MAY modify submissions to ensure compliance with
| standards and site policy.  This section describes a number
| of such modifications that are often considered useful.
|
| NOTE:  As a matter of guidance for local decisions to
| implement message modification, a paramount rule is to limit
| such actions to remedies for specific problems that have
| clear solutions.

[...]

| 8.1.  Add 'Sender'
|
| The MSA MAY add or replace the 'Sender' field, if the
| identity of the sender is known and this is not given in the
| 'From' field.

I've skipped an example in the intro, it's unrelated to 8.1,

As it is I think that 8.1 is obviously buggy, and fixing minor
errors should be allowed in this "standards process" business.
Of course I can't tell for sure, I never tested it before. :-)

The pre-conditions for 8.1 are "compliance with site policy"
and "clear solutions".  No wiggle room for "guessing".  For
the "compliance with standards" mentioning the Resent- cases
explicitly could make sense.

2476 is older than 2822, for 822 with at most one Resent-block
it's obvious how to get it right.  For 2822 it's less obvious.

In a perfect world the SenderID folks would be obliged to fix
this, and I could do what I really want, post an I-D declaring
this Resent-nonsense as obsolete.

The problem with the text as written as I see it is that it says if you know 
who sent it add in Sender.  It seems to be about making sure the Sender is a 
known entity.  That seems to me to leave the door open to a process that 
works something like:

MSA check for authorized user --- authorized
MSA check for Mail From/From --- NOT AUTHORIZED
MSA add as Sender authorized address for the authorized user --- Sender 
Authorized

So:

2821.Mail-From: Bogus
2822.From: Bogus
2822.Sender: Good

What does the user see?  In most cases is the bogus addresses.

If the mail doesn't from from an authorized address, it should go back to the 
sender to fix it [I'll give them the stuff about re-writing internal forms 
into an appropriate form for external use - that's not impacted by this].

Scott K

-------
Sender Policy Framework: http://www.openspf.org/
Archives at http://archives.listbox.com/spf-discuss/current/
To unsubscribe, change your address, or temporarily deactivate your 
subscription, 
please go to 
http://v2.listbox.com/member/?listname=spf-discuss(_at_)v2(_dot_)listbox(_dot_)com

<Prev in Thread] Current Thread [Next in Thread>