Mail Service Quality Support: Mail Service Quality Support: Mail - - PowerPoint PPT Presentation

mail service quality support mail service quality support
SMART_READER_LITE
LIVE PREVIEW

Mail Service Quality Support: Mail Service Quality Support: Mail - - PowerPoint PPT Presentation

Oct 05, 2022 295 likes •405 views

Mail Service Quality Support: Mail Service Quality Support: Mail Service Quality Support: Mail Service Quality Support: Mail Service Quality Support: Mail Service Quality Support: Mail Service Quality Support: Mail Service Quality Support:

slide-1
SLIDE 1

Mail Service Quality Support: Mail Service Quality Support: Mail Service Quality Support: Mail Service Quality Support:

CSV and BATV

Mail Service Quality Support: Mail Service Quality Support: Mail Service Quality Support: Mail Service Quality Support: Mail Service Quality Support: Mail Service Quality Support: Mail Service Quality Support: Mail Service Quality Support:

CSV and BATV CSV and BATV APCAUCE/APRICOT – Kyoto 2005 Dave Crocker Dave Crocker Dave Crocker Dave Crocker

Brandenburg InternetWorking bbiw.net

APCAUCE/APRICOT – Kyoto 2005 Dave Crocker Dave Crocker Dave Crocker Dave Crocker

Brandenburg InternetWorking bbiw.net

slide-2
SLIDE 2
  • D. Crocker

APCauce/Apricot – Kyoto, 2005 2 2

Certified Server Validation (CSV): Certified Server Validation (CSV): Certified Server Validation (CSV): Certified Server Validation (CSV):

Assess Peer MTA Operation

Certified Server Validation (CSV): Certified Server Validation (CSV): Certified Server Validation (CSV): Certified Server Validation (CSV): Certified Server Validation (CSV): Certified Server Validation (CSV): Certified Server Validation (CSV): Certified Server Validation (CSV):

Assess Peer Assess Peer MTA Operation MTA Operation

MUA MUA MSA MSA MTA MTA MTA MTA MDA MDA MUA MUA MTA MTA MTA MTA

Peer MTA Peer MTA

  • 1. Does a Domain Name Manager

authorize authorize this client MTA to be sending email?

  • 2. Does an independent accreditation

accreditation service consider domain manager's practices to be adequate, for controlling email abuse?

slide-3
SLIDE 3
  • D. Crocker

APCauce/Apricot – Kyoto, 2005 3 3

CSV Process CSV Process CSV Process CSV Process CSV Process CSV Process CSV Process CSV Process CSV Process CSV Process CSV Process CSV Process

MTA MTA

Receiving Receiving MTA Server MTA Server

MTA MTA

Sending Sending MTA Client MTA Client

DNS DNS

→ → → → SMTP HELO client.example.com → → → → IP Source Address 1.

  • 1. Identify

2.

  • 2. Authenticate

→ SRV _client._smtp. client.example.com

_client._smtp. client.example.com

← Authorized / Not Authorized as MTA [ AddInfo (or A): IP Address valid ] [ AddIinfo (PTR): accred1.example1.net ] accred1.example1.net ] accred2.example2.net ] accred2.example2.net ] 3.

  • 3. Authorize

4.

  • 4. Accredit

→ → A) A) Consult private lists, or → → B) B) SRV

client.example.com.accred1.example1.net client.example.com.accred1.example1.net

← Nice / Nasty

slide-4
SLIDE 4
  • D. Crocker

APCauce/Apricot – Kyoto, 2005 4 4

CSV Usage CSV Usage CSV Usage CSV Usage CSV Usage CSV Usage CSV Usage CSV Usage CSV Usage CSV Usage CSV Usage CSV Usage

! Sending MTA Network Operator

Sending MTA Network Operator Sending MTA Network Operator Sending MTA Network Operator

" Register authorized MTAs in CSV SRV DNS " [ Register “explicit” record, for default “not authorized” ]

! Sending MTA Client

Sending MTA Client Sending MTA Client Sending MTA Client

" Use EHLO authorized domain name

! Receiving MTA Server

Receiving MTA Server Receiving MTA Server Receiving MTA Server

" Query CSA SRV for Client domain name " [ Query CSA SRV for Client domain name ‘explicit’ record ] " Query private table or public DNA PTR record

! Sending MTA Network Operator

Sending MTA Network Operator Sending MTA Network Operator Sending MTA Network Operator

" " Register

Register authorized MTAs in CSV SRV DNS

" [ Register

Register “explicit” record, for default “not authorized” ]

! Sending MTA Client

Sending MTA Client Sending MTA Client Sending MTA Client

" " Use

Use EHLO authorized domain name

! Receiving MTA Server

Receiving MTA Server Receiving MTA Server Receiving MTA Server

" " Query

Query CSA SRV for Client domain name

" " [ Query

[ Query CSA SRV for Client domain name ‘explicit’ record ]

" " Query

Query private table or public DNA PTR record

slide-5
SLIDE 5
  • D. Crocker

APCauce/Apricot – Kyoto, 2005 5 5

Bounce Address Tag Validation (BATV): Bounce Address Tag Validation (BATV): Bounce Address Tag Validation (BATV): Bounce Address Tag Validation (BATV):

Detecting Forged 2821.MailFrom

Bounce Address Tag Validation (BATV): Bounce Address Tag Validation (BATV): Bounce Address Tag Validation (BATV): Bounce Address Tag Validation (BATV): Bounce Address Tag Validation (BATV): Bounce Address Tag Validation (BATV): Bounce Address Tag Validation (BATV): Bounce Address Tag Validation (BATV):

Detecting Detecting Forged 2821.MailFrom Forged 2821.MailFrom

! Digital signature

Digital signature Digital signature Digital signature of bounce address

  • f bounce address
  • f bounce address
  • f bounce address

" Key is based on domain portion of address ! Multiple schemes

Multiple schemes Multiple schemes Multiple schemes permitted permitted permitted permitted

" First one is simple and private to the originating system ! Meta

Meta Meta Meta-

  • syntax

syntax syntax syntax on LHS (local

  • n LHS (local
  • n LHS (local
  • n LHS (local-
  • part) for parameters

part) for parameters part) for parameters part) for parameters

" Permits finding mailbox without understanding signature, but

entire string (with meta-syntax) must be used as bounce

" Hard limit of 64 bytes for total of local-part ! ! Digital signature

Digital signature Digital signature Digital signature Digital signature Digital signature Digital signature Digital signature of bounce address

  • f bounce address
  • f bounce address
  • f bounce address

" Key is based on domain portion of address ! ! Multiple schemes

Multiple schemes Multiple schemes Multiple schemes Multiple schemes Multiple schemes Multiple schemes Multiple schemes permitted permitted permitted permitted

" First one is simple and private to the originating system ! ! Meta

Meta Meta Meta Meta Meta Meta Meta-

  • syntax

syntax syntax syntax syntax syntax syntax syntax on LHS (local

  • n LHS (local
  • n LHS (local
  • n LHS (local-
  • part) for parameters

part) for parameters part) for parameters part) for parameters

" Permits finding mailbox without understanding signature, but

entire string (with meta-syntax) must be used as bounce

" Hard limit of 64 bytes for total of local-part

mailbox@example.com mailbox@example.com →

→ → → → → → →

batv= batv=mailbox/scheme/parameters /scheme/parameters@example.com

slide-6
SLIDE 6
  • D. Crocker

APCauce/Apricot – Kyoto, 2005 6 6

Bounce Address Evaluation Bounce Address Evaluation Bounce Address Evaluation Bounce Address Evaluation Venues Venues Venues Venues Bounce Address Evaluation Bounce Address Evaluation Bounce Address Evaluation Bounce Address Evaluation Bounce Address Evaluation Bounce Address Evaluation Bounce Address Evaluation Bounce Address Evaluation Venues Venues Venues Venues Venues Venues Venues Venues

MTA MDA MTA MTA MSA

Bounce Bounce Receipt Receipt Bounce Bounce Generation Generation Bounce Bounce Generation Generation

MDA MDA MTA MTA

Sign Sign MailFrom MailFrom Intermediate Intermediate Relay Relay

slide-7
SLIDE 7
  • D. Crocker

APCauce/Apricot – Kyoto, 2005 7 7

First Scheme: First Scheme: First Scheme: First Scheme: PSB0 First Scheme: First Scheme: First Scheme: First Scheme: First Scheme: First Scheme: First Scheme: First Scheme: PSB0

PSB0

! Private Signed Bounce, version zero

Private Signed Bounce, version zero Private Signed Bounce, version zero Private Signed Bounce, version zero

" Detect invalid received bounces " Interpreted only by issuer " Limited replay protection

! Private Signed Bounce, version zero

Private Signed Bounce, version zero Private Signed Bounce, version zero Private Signed Bounce, version zero

" Detect invalid received bounces " Interpreted only by issuer " Limited replay protection

sig sig-

  • val = key

val = key-

  • id,

id, encrypt ( encrypt ( bounce address, bounce address, timestamp, timestamp, random random-

  • string )

string )

slide-8
SLIDE 8
  • D. Crocker

APCauce/Apricot – Kyoto, 2005 8 8

Approach for Approach for Approach for Approach for “ “ “ “Public Key Public Key Public Key Public Key” ” ” ” Schemes Schemes Schemes Schemes Approach for Approach for Approach for Approach for Approach for Approach for Approach for Approach for “ “ “ “ “ “ “ “Public Key Public Key Public Key Public Key Public Key Public Key Public Key Public Key” ” ” ” ” ” ” ” Schemes Schemes Schemes Schemes Schemes Schemes Schemes Schemes

! Allows interpretation by Relays earlier in the

Allows interpretation by Relays earlier in the Allows interpretation by Relays earlier in the Allows interpretation by Relays earlier in the sequence sequence sequence sequence

" Requires PK infrastructure " Will be based on a content-signing standard, when available " Link to content permits strong replay protection ! Tune computation to MailFrom

Tune computation to MailFrom Tune computation to MailFrom Tune computation to MailFrom’ ’ ’ ’s limitations s limitations s limitations s limitations

" E.g., hash the signature into a short string. ! Allows interpretation by Relays earlier in the

Allows interpretation by Relays earlier in the Allows interpretation by Relays earlier in the Allows interpretation by Relays earlier in the sequence sequence sequence sequence

" Requires PK infrastructure " Will be based on a content-signing standard, when available " Link to content permits strong replay protection ! Tune computation to MailFrom

Tune computation to MailFrom Tune computation to MailFrom Tune computation to MailFrom’ ’ ’ ’s limitations s limitations s limitations s limitations

" E.g., hash the signature into a short string.

slide-9
SLIDE 9
  • D. Crocker

APCauce/Apricot – Kyoto, 2005 9 9

To Follow Up To Follow Up To Follow Up To Follow Up… … … … To Follow Up To Follow Up To Follow Up To Follow Up To Follow Up To Follow Up To Follow Up To Follow Up… … … … … … … …

! CSV and BATV

CSV and BATV CSV and BATV CSV and BATV

" Mailing list and specifications: mipassoc.org/clear " Certified Server Validation (CSV): draft-ietf-marid-csv-intro-02

  • Client SMTP Authorization (CSA): draft-ietf-marid-csv-csa-02
  • Domain Name Accreditation (DNA): draft-ietf-marid-csv-dna-02

" Bounce Address Tag Validation (BATV): draft-levine-mass-batv-00

! Email architecture

Email architecture Email architecture Email architecture

" bbiw.net/specifications/draft-crocker-email-arch-03.html

" Internet Mail Architecture: draft-crocker-email-arch-03

! CSV and BATV

CSV and BATV CSV and BATV CSV and BATV

" Mailing list and specifications: mipassoc.org

mipassoc.org/clear

" Certified Server Validation (CSV): draft-ietf-marid-csv-intro-02

  • Client SMTP Authorization (CSA): draft-ietf-marid-csv-csa-02
  • Domain Name Accreditation (DNA): draft-ietf-marid-csv-dna-02

" Bounce Address Tag Validation (BATV): draft-levine-mass-batv-00

! Email architecture

Email architecture Email architecture Email architecture

" " bbiw.net

bbiw.net/specifications/draft-crocker-email-arch-03.html

" Internet Mail Architecture: draft-crocker-email-arch-03