Re: [Asrg] 6. Proposals: MTA MARK vs port 25 filtering?

["Alan DeKok" <aland@ox.org>]

> With LMAP, authentication is done to the originating domain, as opposed 
> to per-hop basis.

  That's the phrasing I was looking for.  Thanks.  It's been a long day.

> However, it seems to me that in cases where someone outsources their 
> email delivery, there will be significant administrative issues since 
> the owner of the domain will have to list all possible outbound servers 
> of the outsourcer in LMAP records. And anytime this information changes, 
> the DNS records need to be updated.

  One word: delegation.

  If *all* of their mail is outsourced, then the LMAP records can be
delegated to the domain which performs the delivery.

  If some of the mail is outsourced, then this will be discovered
because the outsourced machine will probably do:

  EHLO outsource-machine.example.com
  MAIL FROM: anonymous@example.net
  
  The LMAP system can check:

  1) reverse-ip._lmap_.example.net
  2) reverse-ip.example.com._lmap_.example.net

  The first question asks: "is this IP authorized to send messages as
example.net?"  If the answer is no, the second question is asked,
which is:

  "Is this IP, which claims to be within example.com, allowed to send
messages as example.net?"  example.net can then do something like:

  example.com._lmap_.example.net      IN PTR _lmap_.example.com

  That should be easy to do, and should simplify a lot of the
delegation issues.

  Alan DeKok.

_______________________________________________
Asrg mailing list
Asrg@ietf.org
https://www1.ietf.org/mailman/listinfo/asrg