[mail-vet-discuss] Auth-Results issues? #11 section 9 examples
arvel.hathcock at altn.com
Tue Mar 28 12:04:03 PST 2006
he he... nothing slips by Tony.
Tony Hansen wrote:
> In section 9.2, an A-R is shown that does not do any authentication.
> Therefore, there is no verified identity and the headerspec
> header.from=sender at example.com should not be shown. It hasn't been verified.
> In sections 9.3, it shows an MTA adding an A-R header based on auth. I'm
> sorry, but this is an impossible case. Authentication is done when the
> message is submitted, not by the receiving MTA. These will almost
> *never* be the same server. Also, it is specified with an smtp.mail
> headerspec, which is wrong for auth, which should be using smtp.auth
> instead of smtp.mail.
> In section 9.4, an example is shown that combines auth=pass with
> spf=pass. I'm sorry, but this is an impossible case. Authentication is
> done when the message is submitted, whereas spf is checked by the
> receiving MTA. These will almost *never* be the same server. Also, they
> are combined under the smtp.mail headerspec, which is wrong for auth,
> which should be smtp.auth instead of smtp.mail.
> In section 9.5, an example is shown that combines a sender-id check with
> a dkim check, both under a headerspec of header.from=sender at example.com.
> This is wrong for several reasons. The sender-id check can certainly be
> used that headerspec. But dkim does not 1) provide an identity from the
> From: header, and 2) does not provide for user id validation. And again,
> an auth=pass and an spf=fail are combined together, which is wrong as
> was discussed in section 9.4.
> Tony Hansen
> tony at att.com
> NOTE WELL: This list operates according to http://mipassoc.org/dkim/ietf-list-rules.html
More information about the mail-vet-discuss