1 |
On 8/20/20 7:39 PM, Caveman Al Toraboran wrote: |
2 |
> 1. receipt by final mail server (mandatory). |
3 |
|
4 |
You're missing the point that each and every single server along the |
5 |
path between the original submission server and the final destination |
6 |
server is on the hook for delivery of the message -or- notification of |
7 |
it's failure back to the purported sender address. So "final mail |
8 |
server" is not sufficient. |
9 |
|
10 |
Each receiving server in the chain tells the sending server a definitive |
11 |
message that means "Okay, I've received the message and I will dutifully |
12 |
pass it on to the next server -or- report a problem." |
13 |
|
14 |
The RFCs defining SMTP don't consider a server crashing / power failing |
15 |
/ etc. after saying "Okay..." as sufficient reason to fail to perform |
16 |
the job. Even in the event of a crash / power fail, the receiving |
17 |
server MUST process the email when it recovers. |
18 |
|
19 |
Of course, there are servers that go against the RFC "MUST" directives |
20 |
and either don't safely commit messages to disk /before/ saying |
21 |
"Okay..." and / or don't deliver failure messages. There are still |
22 |
other servers that don't accept such incoming failure notices. Both of |
23 |
which are against RFC "MUST" directives and as such violating the SMTP |
24 |
specification and thereby breaking interoperability. Particularly the |
25 |
"trust" part there of. |
26 |
|
27 |
These failure notifications have standardized on Delivery Status |
28 |
Notification, a.k.a. DSN, and historically called a "bounce". There has |
29 |
been evolution from many disparate formats of a bounce to an industry |
30 |
standard DSN. Said industry standard DSN is defined in RFCs. |
31 |
|
32 |
DSNs MUST be non-optional for failure. The only exception is if the |
33 |
sending system uses an extra option to specify that a DSN should /not/ |
34 |
be sent in the event of a failure. Receiving systems are compelled to |
35 |
send DSNs in the absence of said option. |
36 |
|
37 |
> 2. receipt by end user(s) (optional). |
38 |
> 3. opening by end user(s) (optional). |
39 |
|
40 |
These notifications are generally considered to be Message Disposition |
41 |
Notifications, and are optional. Further, the client is what sends MDNs |
42 |
/if/ it chooses to do so. MDNs are even more unreliable than DSNs. |
43 |
|
44 |
> (1) is required by the server, else mail will be retransmitted from |
45 |
> source relay(s) (or client if done directly). (2) is optional by |
46 |
> final server, (3) is optional by end user's client. |
47 |
|
48 |
#1 is generated by RFC compliant servers. Not all servers are RFC |
49 |
compliant. |
50 |
|
51 |
#2 and #3 are generated by end user clients. Not all clients are |
52 |
willing to to do so. |
53 |
|
54 |
> the job of a relay would be to optionally add some metadata |
55 |
|
56 |
This really isn't optional. |
57 |
|
58 |
*SOMETHING* /standard/ *MUST* be added. If for no other reason than to |
59 |
detect and prevent loops. |
60 |
|
61 |
> (e.g. maybe describing sender's role) and sign the whole thing (e.g. by |
62 |
> company's private key). |
63 |
|
64 |
I would suggest a /server's/ private key, and *NOT* the company's |
65 |
private key. There is a HUGE difference in potential for private key |
66 |
exposure. If one server is compromised, the entire company could be |
67 |
crippled if the /company's/ private key is used. Conversely, if the |
68 |
/server's/ private key is used, then /only/ /the/ /server/ is compromised. |
69 |
|
70 |
It is quite possible to have the company's public key published such |
71 |
that the company's internal CA can issue individual keys to each server. |
72 |
|
73 |
Signing will be of somewhat limited value as it will quite likely be |
74 |
subject to the same problem that DMARC / ARC suffer from now. Mail |
75 |
servers can sign what they receive. But in doing so, they alter what is |
76 |
sent to include their signature. As such, the data that the next server |
77 |
receives is different. The real problem is working backwards. Down |
78 |
stream servers don't have a reliable way to undo what upstream servers |
79 |
have done to be able to get back to the original message to validate |
80 |
signatures. |
81 |
|
82 |
There is also the fact that various fields of the email are allowed to |
83 |
have specific trivial modifications made to them, such a line wrapping |
84 |
or character encoding conversion. Such changes don't alter the content |
85 |
of the message, but they do alter the bit pattern of the message. These |
86 |
types of changes are even more difficult to detect and unroll as part of |
87 |
signature validation. |
88 |
|
89 |
> this way we can have group-level rules. |
90 |
|
91 |
I'm not quite sure what you mean by group-level rules in this context. |
92 |
|
93 |
|
94 |
|
95 |
-- |
96 |
Grant. . . . |
97 |
unix || die |