> Date: 2005-06-07 16:37 > From: Dave Crocker <dhc2@xxxxxxxxxxxx> > > 1) What the implications of treating out-of-network mail injection as > > submission are. > > Unfortunately, you are asking an entirely open-ended question and I do not know > what "implications" you are looking for. One disturbing implication is that message submission permits modification of a message without the knowledge or consent of the connecting client. Of course a relay operator can whisper "this is a gateway" and do the same sort of modifications with the same lack of client knowledge or consent. > I DO know what happens when there is unauthenticated relaying that originates > from outside one's network. What happens is that you get blacklisted. It is, > after all, what the term "open relay" refers to and what is so popular with mass > spammers. Dave, I think you know the difference, but since this is a general list, an "open relay" is one that forwards messages which neither originate from nor are destined for its administrative domain. Simply authenticating relaying ("yes, it's from outside and destined for outside") doesn't close an open relay. [and I have carefully avoided defining "originate from" or "administrative domain"] > > In particular, what would be the difference > > between treating this as submission and treating it as relaying > > with a requirement for authentication/authorization? > > The major difference is accountability. When a message is treated as a > submission, then the submission agent (MSA) is able to take a reasonable degree > of responsibility for the (new) message. For simple relaying, such > accountability is essentially impossible. There is really only a "new" message it the content is substantially modified. Of course both MSAs and MTAs (acting as gateways) are permitted to modify content, but neither is required to do so. > Simply put, the open Internet's email infrastructure is under attack. The > postal mail global infrastructure, and all of the large-scale services that do > global transfers, are subject to a high degree of accountability for their > activities and they have a significant degree of control they impose at their > boundaries. By contrast, Internet mail is entirely open, with no trusted core. I (hypothetically) write "Dave Crocker" in the return address space on an envelope, address it, and pop it into a mailbox. Exactly how is there either "a high degree of accountability" or "a significant degree of control" on the part of the post office? > The (unfortunately predictable) development of abuses of this service are > requiring development of practises that tighten things up. The challenge is to > do this in a way that does not create some sort of centralized control. Or a multitude of "railroad barons" each with incompatible standards and refusing to cooperate with others (in which case centralized control would be preferable and desirable in the community interest). _______________________________________________ Ietf@xxxxxxxx https://www1.ietf.org/mailman/listinfo/ietf