dwmw2 at infradead
Feb 23, 2004, 5:25 PM
Post #4 of 4
(1670 views)
Permalink
|
|
Re: Cryptographic authentication of sender addresses.
[In reply to]
|
|
On Mon, 2004-02-23 at 11:59 -0500, Meng Weng Wong wrote:
> On Mon, Feb 23, 2004 at 04:54:01PM +0000, David Woodhouse wrote:
> | http://lists.infradead.org/mailman/listinfo/sender-auth
>
> The ASRG is generally the catch-all for this kind of discussion, see
>
> http://asrg.sp.am/subgroups/msg_verify.shtml
There doesn't seem to be much of interest there. To be honest, I'm not
really in search of a solution to the supposed problem of people faking
my mail addresses. It's _SPF_ which is my problem, and I'm just looking
for a minimal workaround for the breakage it has caused to my users.
My inclination at this point is just to declare the final recipient
domains which are rejecting my forwarded mail to be broken. Implementing
SPF-checking before SRS was either viable or widespread was just a
completely bizarre and broken decision on their part, IMHO. I'm
beginning to think that I've done them a disservice by implementing SRS
and letting them think they're not on crack; I should have just pointed
out the error of their ways.
As far as I can tell, everything SPF can do is achievable with far less
breakage by SRS-style rewriting of outgoing mail and sender-verification
callouts.
For example -- if I only ever send mail from addresses like
SRS0+HHH+TT+infradead.org+<user>@srs.infradead.org, and never from
<user>@infradead.org, then I can reject bounces to <user>@infradead.org,
which means sender verification callouts will fail too.
This gives hosts out there doing sender verification _all_ the hints
they need to avoid joe-jobs which look like they're from one of my
users. Hosts out there which _don't_ bother to do sender verification
will always exist, of course. There's still open relays and hosts which
talk only SMTP. But interested parties can trivially do it and many
already do.
All I have to do is the simple rewriting of _my_ outbound SMTP
reverse-paths, which is the conceptual equivalent to 'publishing' SPF
records.
There's no breakage; there's no requirement for uninterested third
parties to change _anything_. It just works, today, and no breakage is
caused if the whole world doesn't implement some workaround for the
flaws in the plan.
If someone doesn't implement the SRS-style rewriting of outgoing mail,
their mail can be forged -- just like those who don't publish SPF
records. If someone doesn't implement callouts, they'll receive forged
mail -- just like those who don't check SPF records. Of course you
_have_ to opt in if you want to be protected. But you don't have to
require that uninterested third parties join in too, just because you
chose a scheme which makes that completely unrealistic requirement.
That said, I'm _also_ interested in the potential solution offered by
cryptographic signing of mail. The only really interesting (i.e.
non-trivial) part of that is how we canonicalise the mail in order to
avoid the signature being invalidated by forwarding hosts -- I've posted
some initial thoughts to the list on this.
--
dwmw2
-------
To unsubscribe, change your address, or temporarily deactivate your subscription,
please go to http://v2.listbox.com/member/?listname=srs-discuss [at] v2
|
