[mail-vet-discuss] Auth-Results issues? #5 removing A-R header

Tony Hansen tony at att.com
Wed Mar 22 21:45:17 PST 2006


Right now, it says:

   For security reasons, an MTA SHOULD remove any discovered instance of
   this header for which the "hostname" is its own, i.e. headers which
   claim to be from the MTA but were added before the mail arrived at
   the MTA for processing.  A border MTA MAY also delete any discovered
   instance of this header which claims to have been added within its
   trust boundary.  For example, a border MTA at mx.example.com SHOULD
   delete any instance of this header claiming to come from mx.exam-
   ple.com and MAY delete any instance of this header claiming to come
   from any host in example.com prior to adding its own headers.  This
   applies in both directions so that hosts outside the domain cannot
   claim results MUAs inside the domain might trust.

I'm really surprised that these are SHOULDs and MAYs, instead of MUSTs.
If one of those got through, there'd be serious difficulties.

Is the reason a problem with mandating something for all MTAs? If so,
how about using the phrase "an Authentication-Results aware MTA" instead
of "an MTA"? Or "an MTA representing a given hostname"?

Discussion?

	Tony Hansen
	tony at att.com


More information about the mail-vet-discuss mailing list