[Mimedefang] GMail (was Re: stripping Received headers based on authentication)

John Nemeth jnemeth at victoria.tc.ca
Wed Feb 17 16:52:39 EST 2010

On Jul 10,  9:23am, "David F. Skoll" wrote:
} >> No.  You misunderstand.  The web *server* is the email gateway.  It
} >> gateways mail *from* the browser (using HTTP) *to* the Internet (using
} >> SMTP).
} > Gateways need something on both sides to participate.
} Yep.  On one side: The Web browser.  On the other side: The rest of
} the Internet.  Why is that so hard to understand?

     Yes, a web browser, not an MUA of any sort!  I've worked with
numerous different e-mail related protocols over the years, but until
now, nobody has tried to convince me that HTTP{,S} has anything to do
with e-mail.

} > If it isn't email inside the browser (and it isn't, it is a form
} > that the browser displays mindlessly and http carries blindly), how
} > can it be a gateway operation?
} I'll explain...
} > It originates as email from the web application on the server with the
} > user's credentials.
} No.  It originates as email from withing the browser.  You may claim

     No, it doesn't.

} it's some black-box blob of data, but everyone who uses webmail will

     Actually, multiple black-box blobs of data, but who's counting?

} disagree.  Stop someone and say "What are you doing?"  He/she will say
} "Writing an email", not "filling in a form that the browser carries
} blindly and that turns into an email on the server."

     Yeah, so what?  99.9% of people using computers don't have the
slightest clue how it works or what is going on under the hood at any
given moment (this even goes for most Linux users -- most of them will
tell you that it's better then Windows, but ask them to articulate what
is going on under the hood, and they won't have a clue, unless they
happen to be a programmer).

     BTW, what's an EGR and how does it work?  What's a PCV and how
does it work?  The only hint that I'll give is that these don't have
anything to do with computers.

} And if you ask Joe Brennan what he's doing, he'll say "Composing an
} email on machine x.y.z.w that's running Pine".  And if you ask a
} knowledgeable Thunderbird user with a remote X display what he's
} doing, he'll say "Composing an email in Thunderbird running on machine
} x.y.z.w."  It's clear to everyone where the real action is happening.

     Yes, these people don't fit the 99.9%, and notice that they won't
tell that they are composing e-mail on their local machine.

} > Partly both I suppose, but I don't like people interpreting RFC's oddly
} > to support their own agenda,
} You and Gmail are the only ones with this interpretation.  Other

     No, they aren't the only ones.  I've been mostly enjoying the
popcorn until now.

} Webmail providers (Yahoo, Hotmail) and Webmail software (Squirrelmail;
} Horde) use my interpretation.  So I submit that you are the one

     So what, we all know the general state of privacy in the US, i.e.
you have none.  The rest of the world generally does a better job.
Google is at least trying.

} interpreting the RFC oddly.
} > and I don't see how anything a browser does can be considered as any
} > more than a remote display for a server side application.
} Here's the thing: Between the Google Webmail server and the client's
} Web browser, there is an interface between two administrative domains.
} Google doesn't own the Web browser (yet!), but it does own the Web
} server.

     Yeah, so?

} For tracing purposes, it is desirable (I would say mandatory) to track
} the flow of email across this interface.

     How do you know they don't?  Just because they don't give you the
info, doesn't mean they don't track it.

} Generally speaking, between an X client and an X server, or between an
} SSH client and an SSH server, there is not an interface between two
} administrative domains.  So apart from the fact that the SMTP gateway

     I'm using an SSH client to talk to an SSH server on a different
machine.  On that machine, I'm running an MUA to compose this e-mail.
The SSH client and SSH server are most definitely in different
administrative domains.

} *cannot* report the client's IP, there's *no need* for it to do so.

     Nor, is there any need for Gmail to do so.  Google is fully
responsible for anything emitted by the Gmail system.  If you receive
spam from a Gmail user, report it to Google/Gmail.  If Google fails to
deal with it appropriately that would make Google a spam friendly
entity and a problem.  You can then deal with them on that basis.
There is no need for you to know who the ultimate enduser composing the
e-mail is.

} (If people started offering public-access Pine-over-SSH or
} public-access Thunderbird-over-X, I would change my position.)

     Why?  The person offering the service would still be responsible
for what happens on it.

} > As an email admin you have the right to discard email whimsically.
} It's not whimsical at all.  Google is suppressing critical information
} showing the flow of email from one administrative domain to another.
} This is purely evil and utterly unjustifiable.

     This is one of the most ridiculous things I've heard.

     BTW, since we're talking about being RFC compliant, I guess we
should throw out MIMEDefang since it mangles e-mails in-transit and
that's a definite no-no.

}-- End of excerpt from "David F. Skoll"

More information about the MIMEDefang mailing list