[Mimedefang] sendmail spf milter plugin for sendmail 8.13.0

Matthew.van.Eerde at hbinc.com Matthew.van.Eerde at hbinc.com
Thu Aug 19 15:26:54 EDT 2004

Hash: SHA1

Les Mikesell wrote:
> On Thu, 2004-08-19 at 12:01, Matthew.van.Eerde at hbinc.com wrote:
>> A solution *is* possible, even though the specs aren't (yet) it.
>> Worst-case, everyone gets a PGP key, publishes the public key in
>> and signs all outgoing mail.  Then headers can be thrown around at
>> will.
> I don't see why you call that the worst case, since it tells you
> what you really want to know - unless you have some bizarre interest
> about what machine registered in what domain had some small part
> in delivering the message.  The problem is still that this
> identification is meaningless unless there is a way to limit the
> number of them that can be generated.

Not meaningless.  If I send an email From:
matthew.van.eerde at example.com, and sign it with my PGP key, and publish
my public PGP key via DNS at matthew-dot-van-dot-eerde.example.com, you
can be darn sure that one of the following is true:

1) the signature is invalid
2) the email really came from matthew.van.eerde at example.com
3) example.com is borked (DNS is under control of black hats, say)

You can check 1) using PGP, which gets you down to 2) or 3).
If you know 2) isn't true, you can infer 3) - and blacklist all future
email from example.com (until they fix it)

It's true that security at the domain level is meaningless from an
end-user perspective.  But from a litigious perspective it's a lot
easier to subpoena registration info on a domain if you can PROVE that
the domain's DNS administrator is complicit to bad behavior.

Matthew.van.Eerde at hbinc.com                      805.964.4554 x902
Hispanic Business Inc./HireDiversity.com         Software Engineer
Comment: pub key http://matthew.vaneerde.com/pgp-public-key.asc


More information about the MIMEDefang mailing list