[mail-vet-discuss] New draft for review
SM
sm at resistor.net
Fri Jun 1 14:48:35 PDT 2007
At 09:30 01-06-2007, Michael Thomas wrote:
>I don't understand the reason for this restriction, and I understand
>even less how you expect it to be enforced. Consider this:
>
>border(spf)->mta(dkim)->delivery
>
>why should it be illegal for the middle mta to add the dkim results
>to the existing upstream auth-res? Does it cause some sort of security
>problem? Or any other kind of problem? The only kind of security problem
>I can see is if it added it to an _untrusted_ auth-res, but that would
>be pretty silly.
Initially, the hostname could be used to tell where the results were
evaluated. That would explain why the dkim results shouldn't be
appended to a header inserted upstream. If we are going to use an
authentication identifier, we can append results if the border and
the mta are using the same identifier.
There may be a problem. Assuming that there was a spoofed header in
the message and for some reason, the border didn't process the
message for an auth-res header. mta will be adding the dkim results
to the untrusted auth-res header. This problem would be more
inherent to using the same identifier on more than one host.
Regards,
-sm
More information about the mail-vet-discuss
mailing list