[mail-vet-discuss] Draft as of 9/4/2007
Michael Thomas
mike at mtcc.com
Sun Oct 14 09:32:40 PDT 2007
John Levine wrote:
>> Any MTA that is concerned about client security and misinterpretation
>> should strip out ALL AR headers except for its own. Anything else
>> opens up ambiguities in terms of who the client can trust.
>>
>
> Except that breaks an actual use case. I have a bunch of mail
> addresses other places that forward mail to my regular address. The
> forwarders are all easy to recognize due to fixed IP addresses and
> consistent received header syntax. The AR headers that the forwarders
> add would be quite useful to me, and I really don't want to have to go
> patching my MTA to tell it what users expect mail forwarded from what
> places in order to get to look at them.
>
Surely you're not advocating a MUST NOT strip, or even a SHOULD NOT
strip. The third parties can sign after all and then you'd just trust
them directly.
Trying to expect unauthenticated cross administrative good bits to
remain good
is pretty crazy if you ask me.
Mike
More information about the mail-vet-discuss
mailing list