| 1 |
On 8/20/20 7:39 PM, Caveman Al Toraboran wrote: |
| 2 |
> 1. receipt by final mail server (mandatory). |
| 3 |
|
| 4 |
You're missing the point that each and every single server along the |
| 5 |
path between the original submission server and the final destination |
| 6 |
server is on the hook for delivery of the message -or- notification of |
| 7 |
it's failure back to the purported sender address. So "final mail |
| 8 |
server" is not sufficient. |
| 9 |
|
| 10 |
Each receiving server in the chain tells the sending server a definitive |
| 11 |
message that means "Okay, I've received the message and I will dutifully |
| 12 |
pass it on to the next server -or- report a problem." |
| 13 |
|
| 14 |
The RFCs defining SMTP don't consider a server crashing / power failing |
| 15 |
/ etc. after saying "Okay..." as sufficient reason to fail to perform |
| 16 |
the job. Even in the event of a crash / power fail, the receiving |
| 17 |
server MUST process the email when it recovers. |
| 18 |
|
| 19 |
Of course, there are servers that go against the RFC "MUST" directives |
| 20 |
and either don't safely commit messages to disk /before/ saying |
| 21 |
"Okay..." and / or don't deliver failure messages. There are still |
| 22 |
other servers that don't accept such incoming failure notices. Both of |
| 23 |
which are against RFC "MUST" directives and as such violating the SMTP |
| 24 |
specification and thereby breaking interoperability. Particularly the |
| 25 |
"trust" part there of. |
| 26 |
|
| 27 |
These failure notifications have standardized on Delivery Status |
| 28 |
Notification, a.k.a. DSN, and historically called a "bounce". There has |
| 29 |
been evolution from many disparate formats of a bounce to an industry |
| 30 |
standard DSN. Said industry standard DSN is defined in RFCs. |
| 31 |
|
| 32 |
DSNs MUST be non-optional for failure. The only exception is if the |
| 33 |
sending system uses an extra option to specify that a DSN should /not/ |
| 34 |
be sent in the event of a failure. Receiving systems are compelled to |
| 35 |
send DSNs in the absence of said option. |
| 36 |
|
| 37 |
> 2. receipt by end user(s) (optional). |
| 38 |
> 3. opening by end user(s) (optional). |
| 39 |
|
| 40 |
These notifications are generally considered to be Message Disposition |
| 41 |
Notifications, and are optional. Further, the client is what sends MDNs |
| 42 |
/if/ it chooses to do so. MDNs are even more unreliable than DSNs. |
| 43 |
|
| 44 |
> (1) is required by the server, else mail will be retransmitted from |
| 45 |
> source relay(s) (or client if done directly). (2) is optional by |
| 46 |
> final server, (3) is optional by end user's client. |
| 47 |
|
| 48 |
#1 is generated by RFC compliant servers. Not all servers are RFC |
| 49 |
compliant. |
| 50 |
|
| 51 |
#2 and #3 are generated by end user clients. Not all clients are |
| 52 |
willing to to do so. |
| 53 |
|
| 54 |
> the job of a relay would be to optionally add some metadata |
| 55 |
|
| 56 |
This really isn't optional. |
| 57 |
|
| 58 |
*SOMETHING* /standard/ *MUST* be added. If for no other reason than to |
| 59 |
detect and prevent loops. |
| 60 |
|
| 61 |
> (e.g. maybe describing sender's role) and sign the whole thing (e.g. by |
| 62 |
> company's private key). |
| 63 |
|
| 64 |
I would suggest a /server's/ private key, and *NOT* the company's |
| 65 |
private key. There is a HUGE difference in potential for private key |
| 66 |
exposure. If one server is compromised, the entire company could be |
| 67 |
crippled if the /company's/ private key is used. Conversely, if the |
| 68 |
/server's/ private key is used, then /only/ /the/ /server/ is compromised. |
| 69 |
|
| 70 |
It is quite possible to have the company's public key published such |
| 71 |
that the company's internal CA can issue individual keys to each server. |
| 72 |
|
| 73 |
Signing will be of somewhat limited value as it will quite likely be |
| 74 |
subject to the same problem that DMARC / ARC suffer from now. Mail |
| 75 |
servers can sign what they receive. But in doing so, they alter what is |
| 76 |
sent to include their signature. As such, the data that the next server |
| 77 |
receives is different. The real problem is working backwards. Down |
| 78 |
stream servers don't have a reliable way to undo what upstream servers |
| 79 |
have done to be able to get back to the original message to validate |
| 80 |
signatures. |
| 81 |
|
| 82 |
There is also the fact that various fields of the email are allowed to |
| 83 |
have specific trivial modifications made to them, such a line wrapping |
| 84 |
or character encoding conversion. Such changes don't alter the content |
| 85 |
of the message, but they do alter the bit pattern of the message. These |
| 86 |
types of changes are even more difficult to detect and unroll as part of |
| 87 |
signature validation. |
| 88 |
|
| 89 |
> this way we can have group-level rules. |
| 90 |
|
| 91 |
I'm not quite sure what you mean by group-level rules in this context. |
| 92 |
|
| 93 |
|
| 94 |
|
| 95 |
-- |
| 96 |
Grant. . . . |
| 97 |
unix || die |
Archives