On Feb 25, 2009, at 11:42 PM, Murray S. Kucherawy wrote:
Doug,
On Wed, 25 Feb 2009 00:10:21 -0800, Doug Otis wrote:
The Sender-Header-Auth draft clouds what should be clear and
concise concepts. Organizations like Google have already remedied
many of the security concerns through inclusion of free form
comments.
For the sake of being thorough, I looked into this. A lead mail
engineer at Gmail (I assume you're referencing Gmail and not
Google's internal mail) tells me their inclusion of the relaying IP
address as a comment in their Authentication-Results header fields
has nothing to do with any sort of remedy in reference to any
concerns they have about the specification. It is for use by some
other internal processes (which he was not at liberty to discuss
further).
This overlooks their claim that SMTP client IP address information is
useful, even for undisclosed reasons. Even as a comment, it confirms
IP addresses found elsewhere using regex as a remedy for defeating
spoofed headers holding bogus IP addresses.
Since you cited a plurality, do you have any other specific examples?
Unfortunately other major DKIM provider Yahoo! does not offer this
feature. Is your question seems aimed at ensuring the ESP wagons are
fully circled? The draft omits information that is essential for
checking whether a message source represents that of a NAT, for
example. This is not about whether to accept a message, which might
be where the reputation of the domain would matters, this is about
determining whether the *authorized* client is known to protect
message elements used to reference the authorizations. The
Authentication-Results header is not about which messages are to be
rejected, this header is about what results are safe to annotate.
-Doug
_______________________________________________
Ietf@xxxxxxxx
https://www.ietf.org/mailman/listinfo/ietf