On Apr 15, 2008, at 4:09 AM, Charles Lindsey wrote: > On Mon, 14 Apr 2008 19:06:05 +0100, Douglas Otis <[EMAIL PROTECTED] > abuse.org> > wrote: > >> RFC 2822 does not depend upon SMTP as being the message exchange >> protocol. In addition, future message exchange protocols may >> depend upon different address resolution protocols, such as PRNP. >> PPNP avoids any reliance upon DNS, for example. Any protocol that >> might replace DNS may also adopt a strategy of DNS independence. >> Unless ADSP specifies policies are limited to SMTP, it would be >> incorrect to conclude existence checks can or should depend upon >> DNS resource records. > > But how do you know which protocol the message was written for? > > If it arrives at your site via SMTP, then you should apply the ADSP > rules appropriate to SMTP. If it actually started life being > transported by XXTP, then you just have to assume that the XXTP to > SMTP gateway had fixed it up (e.g by not letting it through at all > if it was going to violate someone's policy).
SMTP only defines "MAIL FROM" as an SMTP suitable email-address. Email-addresses contained within the RFC2822 headers may adopt different regimes pertaining to different address resolution or transport protocols. In addition, DKIM is not limited to an email address suitable for SMTP. One might assume any email-address signed by DKIM is suitable with SMTP. However, a transport protocol transition will likely involve transport conversion gateways. > Conversely, if it arrives at your site via XXTP, then it may or may > not be worth trying ADSP on it (depending on whether or not you have > DNS access). It is again really a matter for any earlier SMTP to > XXTP to have sorted the matter out (e.g. by verifying it and not > passing it on if it failed). For example, assume XXTP uses a different discovery method from that of SMTP. To clarify a protocol dependence, email-addresses using a new protocol might include a postfix label of 'xxtp', such as "[EMAIL PROTECTED] ". Here, DKIM could establish associations between the different name spaces. Unfortunately, attempts at applying an 'existence' test to support ADSP From header compliance would also make addresses suitable for different transport protocols fragile when carried over SMTP. So, ADSP must either assume email-addresses within the From header are suitable for use with SMTP, and then check for SMTP specific DNS resource records, or require each domain to publish policy resource records. Although there is a difference between accounts.big-bank.com and big- bank.com, this difference enables a fair amount of spoofing. There are no practical limits that could be applied to domain tree walking, since us.accounts.big-bank.com also represents a similar risk. NXDOMAIN, as a means to circumvent domain tree walking is problematic when a domain, network provider, or TLD provider make use of wildcards. NXDOMAIN also assumes _all_ email-addresses contained within the From header, are suitable for some undefined transport that also depends upon DNS. While this assumption is often correct, making this assumption a requirement must be deliberate, where this will affect SMTP overall extensibility. -Doug _______________________________________________ NOTE WELL: This list operates according to http://mipassoc.org/dkim/ietf-list-rules.html
