Full Disclosure mailing list archives
Re: Improving E-mail security...
From: "I.R.van Dongen" <vdongen () hetisw nl>
Date: Wed, 27 Aug 2003 11:25:51 +0200
Current situation of my organisation: 3 mx servers (of which one is accualy at our location) 12 smtp-relay servers on completely different netblocks. In your opinion, there should be 12 public keys stored for just our 1 domain? not to mention 3 public keys for our 3 mxs. Our situation is not uncommon, most organisations don't have just one office network. Besides the fact that someone has to store the keys on a central server, which can: 1) be hacked, which has the effect that mail cannot be send 2) be exploited by the 3th party trustee to make a lot of money (you want you mail to be send?) 3) be DDos'ed by kiddies to prevent all mail from being send.
- E-mail receiving server could check that 'very first original' From: line and if it is same than the receiver address ie. 'someone () someone com' Perform an check to see if the 'sender identification' ie. salted public key, GUID or something (X-Authenticated-Guid: #0a845d299ca340087140) exists in mail header.
Without a challenge system, I can simply copy the Guid from any mail.
Delivery should be done only if an 'sender identification' exist and the key matches. Otherwise mail should be trashed to dev/null :) Waiting for comments and succestions...
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Current thread:
- Improving E-mail security... Bengt Ruusunen (Aug 26)
- Re: [LONG] Improving E-mail security... lceone () comcast net (Aug 26)
- Re: [LONG] Improving E-mail security... Ron DuFresne (Aug 27)
- Re: [LONG] Improving E-mail security... Valdis . Kletnieks (Aug 27)
- <Possible follow-ups>
- RE: Improving E-mail security... Leif Sawyer (Aug 26)
- RE: Improving E-mail security... Eric Wagner (Aug 27)
- Re: Improving E-mail security... I.R.van Dongen (Aug 27)
- Re: [LONG] Improving E-mail security... lceone () comcast net (Aug 26)
