mail service quality support mail service quality support
play

Mail Service Quality Support: Mail Service Quality Support: Mail - PowerPoint PPT Presentation

Mail Service Quality Support: Mail Service Quality Support: Mail Service Quality Support: Mail Service Quality Support: Mail Service Quality Support: Mail Service Quality Support: Mail Service Quality Support: Mail Service Quality Support:


  1. Mail Service Quality Support: Mail Service Quality Support: Mail Service Quality Support: Mail Service Quality Support: Mail Service Quality Support: Mail Service Quality Support: Mail Service Quality Support: Mail Service Quality Support: Mail Service Quality Support: Mail Service Quality Support: Mail Service Quality Support: Mail Service Quality Support: CSV and BATV CSV and BATV CSV and BATV APCAUCE/APRICOT – Kyoto 2005 APCAUCE/APRICOT – Kyoto 2005 Dave Crocker Dave Crocker Dave Crocker Dave Crocker Dave Crocker Dave Crocker Dave Crocker Dave Crocker Brandenburg InternetWorking Brandenburg InternetWorking bbiw.net bbiw.net

  2. Certified Server Validation (CSV): Certified Server Validation (CSV): Certified Server Validation (CSV): Certified Server Validation (CSV): Certified Server Validation (CSV): Certified Server Validation (CSV): Certified Server Validation (CSV): Certified Server Validation (CSV): Certified Server Validation (CSV): Certified Server Validation (CSV): Certified Server Validation (CSV): Certified Server Validation (CSV): Assess Peer MTA Operation MTA Operation Assess Peer Assess Peer MTA Operation MUA MSA MTA 1. Does a Domain Name Manager MUA MSA MTA authorize this client MTA to be authorize sending email? MTA MTA 2. Does an independent accreditation accreditation service consider domain manager's MTA MTA practices to be adequate, for controlling email abuse? Peer MTA Peer MTA MTA MDA MUA MTA MDA MUA D. Crocker 2 APCauce/Apricot – Kyoto, 2005 2

  3. CSV Process CSV Process CSV Process CSV Process CSV Process CSV Process CSV Process CSV Process CSV Process CSV Process CSV Process CSV Process 1. Identify 1. → SMTP HELO client.example.com → → → Sending Sending MTA MTA → → → → 2. Authenticate 2. IP Source Address MTA Client MTA Client 3. Authorize 3. Receiving → SRV _client._smtp. client.example.com Receiving _client._smtp. client.example.com MTA MTA MTA Server MTA Server ← Authorized / Not Authorized as MTA [ AddInfo (or A): IP Address valid ] [ AddIinfo (PTR): accred1.example1.net ] accred1.example1.net ] accred2.example2.net ] accred2.example2.net ] → A) → A) Consult private lists, or 4. Accredit 4. → B) DNS → DNS B) SRV client.example.com.accred1.example1.net client.example.com.accred1.example1.net ← Nice / Nasty D. Crocker 3 APCauce/Apricot – Kyoto, 2005 3

  4. CSV Usage CSV Usage CSV Usage CSV Usage CSV Usage CSV Usage CSV Usage CSV Usage CSV Usage CSV Usage CSV Usage CSV Usage ! Sending MTA Network Operator Sending MTA Network Operator Sending MTA Network Operator Sending MTA Network Operator ! Sending MTA Network Operator Sending MTA Network Operator Sending MTA Network Operator Sending MTA Network Operator " Register Register authorized MTAs in CSV SRV DNS " Register authorized MTAs in CSV SRV DNS " " [ Register Register “explicit” record, for default “not authorized” ] " [ Register “explicit” record, for default “not authorized” ] ! Sending MTA Client Sending MTA Client Sending MTA Client Sending MTA Client ! Sending MTA Client Sending MTA Client Sending MTA Client Sending MTA Client " Use Use EHLO authorized domain name " Use EHLO authorized domain name " ! Receiving MTA Server Receiving MTA Server Receiving MTA Server Receiving MTA Server ! Receiving MTA Server Receiving MTA Server Receiving MTA Server Receiving MTA Server " Query Query CSA SRV for Client domain name " Query CSA SRV for Client domain name " " [ Query [ Query CSA SRV for Client domain name ‘explicit’ record ] " [ Query CSA SRV for Client domain name ‘explicit’ record ] " " Query Query private table or public DNA PTR record " Query private table or public DNA PTR record " D. Crocker 4 APCauce/Apricot – Kyoto, 2005 4

  5. Bounce Address Tag Validation (BATV): Bounce Address Tag Validation (BATV): Bounce Address Tag Validation (BATV): Bounce Address Tag Validation (BATV): Bounce Address Tag Validation (BATV): Bounce Address Tag Validation (BATV): Bounce Address Tag Validation (BATV): Bounce Address Tag Validation (BATV): Bounce Address Tag Validation (BATV): Bounce Address Tag Validation (BATV): Bounce Address Tag Validation (BATV): Bounce Address Tag Validation (BATV): Detecting Forged 2821.MailFrom Forged 2821.MailFrom Detecting Detecting Forged 2821.MailFrom ! Digital signature Digital signature Digital signature of bounce address of bounce address Digital signature Digital signature Digital signature of bounce address of bounce address Digital signature Digital signature ! Digital signature Digital signature of bounce address of bounce address Digital signature Digital signature of bounce address of bounce address ! " Key is based on domain portion of address " Key is based on domain portion of address ! Multiple schemes Multiple schemes Multiple schemes permitted permitted Multiple schemes Multiple schemes Multiple schemes permitted permitted Multiple schemes Multiple schemes ! Multiple schemes Multiple schemes permitted permitted Multiple schemes Multiple schemes permitted permitted ! " First one is simple and private to the originating system " First one is simple and private to the originating system ! Meta Meta- Meta -syntax - syntax syntax on LHS (local on LHS (local- -part) for parameters part) for parameters Meta Meta Meta - - - syntax syntax syntax on LHS (local on LHS (local - - part) for parameters part) for parameters Meta Meta - - syntax syntax ! Meta Meta- -syntax syntax on LHS (local on LHS (local- -part) for parameters part) for parameters Meta Meta - - syntax syntax on LHS (local on LHS (local - - part) for parameters part) for parameters ! " Permits finding mailbox without understanding signature, but " Permits finding mailbox without understanding signature, but entire string (with meta-syntax) must be used as bounce entire string (with meta-syntax) must be used as bounce " Hard limit of 64 bytes for total of local-part " Hard limit of 64 bytes for total of local-part mailbox@example.com → → → → → → → → mailbox@example.com batv= mailbox /scheme/parameters /scheme/parameters @example.com batv= D. Crocker 5 APCauce/Apricot – Kyoto, 2005 5

  6. Bounce Address Evaluation Bounce Address Evaluation Bounce Address Evaluation Bounce Address Evaluation Bounce Address Evaluation Bounce Address Evaluation Bounce Address Evaluation Bounce Address Evaluation Bounce Address Evaluation Bounce Address Evaluation Bounce Address Evaluation Bounce Address Evaluation Venues Venues Venues Venues Venues Venues Venues Venues Venues Venues Venues Venues Bounce Bounce Sign Sign Generation Generation MailFrom Intermediate Intermediate Bounce Bounce MailFrom Relay Generation Relay Generation MSA MDA MTA MTA MTA MDA MDA MTA MTA Bounce Bounce Receipt Receipt D. Crocker 6 APCauce/Apricot – Kyoto, 2005 6

  7. First Scheme: First Scheme: PSB0 First Scheme: First Scheme: First Scheme: First Scheme: First Scheme: First Scheme: First Scheme: First Scheme: First Scheme: First Scheme: PSB0 PSB0 ! Private Signed Bounce, version zero Private Signed Bounce, version zero Private Signed Bounce, version zero Private Signed Bounce, version zero ! Private Signed Bounce, version zero Private Signed Bounce, version zero Private Signed Bounce, version zero Private Signed Bounce, version zero " Detect invalid received bounces " Detect invalid received bounces " Interpreted only by issuer " Interpreted only by issuer " Limited replay protection " Limited replay protection sig- -val = key val = key- -id, id, sig encrypt ( bounce address, bounce address, encrypt ( timestamp, timestamp, random- -string ) string ) random D. Crocker 7 APCauce/Apricot – Kyoto, 2005 7

Recommend


More recommend