[mail-vet-discuss] New draft for review
Murray S. Kucherawy
msk at sendmail.com
Wed Jul 11 16:03:46 PDT 2007
Michael Thomas wrote:
>>>> An MTA compliant with this specification MUST add this header to
>>>> indicate the host which performed the authentication tests, the
>>>> authentication methods tested and the results of the tests. If more
>>>> than one test is done, the MTA MUST either add this header once per
>>>> test or add one header to convey all the results. An MTA MUST NOT
>>>> add the result to an existing header.
>
>
> I don't understand the reason for this restriction, and I understand
> even less how you expect it to be enforced. Consider this:
>
> border(spf)->mta(dkim)->delivery
>
> why should it be illegal for the middle mta to add the dkim results
> to the existing upstream auth-res? Does it cause some sort of security
> problem? Or any other kind of problem? The only kind of security problem
> I can see is if it added it to an _untrusted_ auth-res, but that would
> be pretty silly.
It's mainly to require that the hostname in the A-R header indicate where the
status was evaluated. If it claims "border" and "mta" modifies it, the consumer
of the header will be led to believe that "border" did both evaluations which is
inaccurate.
More information about the mail-vet-discuss
mailing list