[mail-vet-discuss] Auth-Results issues? #5 removing A-R header
arvel.hathcock at altn.com
Tue Mar 28 11:51:02 PST 2006
These have to be changed to MUST. Supposing an MUA begins to make
decisions based on these headers (as my MUA already does) then making
removal of these headers an optional thing is a huge security problem.
Tony Hansen wrote:
> Right now, it says:
> For security reasons, an MTA SHOULD remove any discovered instance of
> this header for which the "hostname" is its own, i.e. headers which
> claim to be from the MTA but were added before the mail arrived at
> the MTA for processing. A border MTA MAY also delete any discovered
> instance of this header which claims to have been added within its
> trust boundary. For example, a border MTA at mx.example.com SHOULD
> delete any instance of this header claiming to come from mx.exam-
> ple.com and MAY delete any instance of this header claiming to come
> from any host in example.com prior to adding its own headers. This
> applies in both directions so that hosts outside the domain cannot
> claim results MUAs inside the domain might trust.
> I'm really surprised that these are SHOULDs and MAYs, instead of MUSTs.
> If one of those got through, there'd be serious difficulties.
> Is the reason a problem with mandating something for all MTAs? If so,
> how about using the phrase "an Authentication-Results aware MTA" instead
> of "an MTA"? Or "an MTA representing a given hostname"?
> Tony Hansen
> tony at att.com
> NOTE WELL: This list operates according to http://mipassoc.org/dkim/ietf-list-rules.html
More information about the mail-vet-discuss