[mail-vet-discuss] Auth-Results issues? #5 removing A-R header

[Arvel Hathcock]

These have to be changed to MUST.  Supposing an MUA begins to make 
decisions based on these headers (as my MUA already does) then making 
removal of these headers an optional thing is a huge security problem.

-- 
Arvel

Tony Hansen wrote:
> Right now, it says:
> 
>    For security reasons, an MTA SHOULD remove any discovered instance of
>    this header for which the "hostname" is its own, i.e. headers which
>    claim to be from the MTA but were added before the mail arrived at
>    the MTA for processing.  A border MTA MAY also delete any discovered
>    instance of this header which claims to have been added within its
>    trust boundary.  For example, a border MTA at mx.example.com SHOULD
>    delete any instance of this header claiming to come from mx.exam-
>    ple.com and MAY delete any instance of this header claiming to come
>    from any host in example.com prior to adding its own headers.  This
>    applies in both directions so that hosts outside the domain cannot
>    claim results MUAs inside the domain might trust.
> 
> I'm really surprised that these are SHOULDs and MAYs, instead of MUSTs.
> If one of those got through, there'd be serious difficulties.
> 
> Is the reason a problem with mandating something for all MTAs? If so,
> how about using the phrase "an Authentication-Results aware MTA" instead
> of "an MTA"? Or "an MTA representing a given hostname"?
> 
> Discussion?
> 
> 	Tony Hansen
> 	tony at att.com
> _______________________________________________
> NOTE WELL: This list operates according to http://mipassoc.org/dkim/ietf-list-rules.html