[mail-vet-discuss] Seeking consensus on MUA use
Victor.Duchovni at morganstanley.com
Mon Dec 15 07:58:01 PST 2008
On Sun, Dec 14, 2008 at 10:39:08PM -0800, Douglas Otis wrote:
> > I always considered the purpose of this header is to communicate
> > authentication results. I don't think an IP address is an
> > authentication result. I'd think it was out of scope.
> Sender-ID or SPF do not authenticate a domain! These schemes indicate
> whether a domain within a message _authorized_ the IP address of the
> SMTP client.
The SPFv1 record has indeed coopted by Sender-ID to mean things the
publisher of the SPF record may not have intended.
> There are serious unresolved issues with Sender-ID and SPF.
The solution IMHO is to not use SPF or Sender-ID. I don't see where this
draft forces one to use these mechanisms.
> There is no reason not to include the IP address of the SMTP client
> within the SPF or Sender-ID results. Stop describing the
> authorization process as "Authentication". Again, for either SPF or
> Sender-ID, the only weakly authenticated element would be the IP
> address of the SMTP client. The only element that should be in scope
> would be the IP address of the SMTP client.
The IP address is "authenticated", by TCP (ability to complete 3-way
handshake) not SPF. What SPF/SID do poorly is verify that the domain
(MAIL.From or PRA) has authorized that IP to send on its behalf. The
A-R header records the authorizing domain so that its reputation can be
applied to appropriate messages from the IP (not the converse). The
goal is to enable this.
If downstream filters or MUAs want to use IP reputation and not domain
reputation (whether the domain is authenticated, or verified to have
authorized, ...) they need the IP address regardless of any domain
authentication protocols, and don't really need an A-R header at all.
The question of how to pass expanded envelope data to downstream MTAs
and filters is not currently addressed by the draft.
Postfix uses XFORWARD <http://www.postfix.org/XFORWARD_README.html>.
There are some advantages to using extended commands, and some to
using headers, and there is more interesting informationt to pass
than just the IP address.
Should A-R always pass the client IP (in which case this is not
an SPF/SID specific issue)? Maybe, provided A-R is the right
mechanism to carry this additional payload.
More information about the mail-vet-discuss