You are viewing a plain text version of this content. The canonical link for it is here.
Posted to server-user@james.apache.org by se...@lokitech.com on 2003/12/11 18:25:04 UTC
Bah, my idea by the people who I said needed it
I've always thought server-driven domain-based authentication was one of the most needed additions to SMTP/email.
Does anyone know how we can learn more about this approach and make James compatible (and not just sendmail and qmail)?
http://www.informationweek.com/story/showArticle.jhtml?articleID=16700087
---------------------------------------------------------------------
To unsubscribe, e-mail: server-user-unsubscribe@james.apache.org
For additional commands, e-mail: server-user-help@james.apache.org
Re: Bah, my idea by the people who I said needed it
Posted by Serge Knystautas <se...@lokitech.com>.
sergek@lokitech.com wrote:
> I've always thought server-driven domain-based authentication was one of the most needed additions to SMTP/email.
>
> Does anyone know how we can learn more about this approach and make James compatible (and not just sendmail and qmail)?
>
> http://www.informationweek.com/story/showArticle.jhtml?articleID=16700087
I've found out a bit more on how this works... we're pretty sure
they're using S/Mime to sign the messages going out. Then,
"Under Yahoo's new architecture, a system sending an e-mail message
would embed a secure, private key in a message header. The receiving
system would check the Internet's domain name system for the public key
registered to the sending domain."
So basically you indicate your domain participates in this system and
publish your public key via some special entry in DNS. This should be
pretty easy to add with a matcher.
I'm still trying to contact someone at Yahoo! to get involved so we have
early adoption of this. If anybody works/knows people at Yahoo!, please
let me know. :)
--
Serge Knystautas
President
Lokitech >> software . strategy . design >> http://www.lokitech.com
p. 301.656.5501
e. sergek@lokitech.com
---------------------------------------------------------------------
To unsubscribe, e-mail: server-user-unsubscribe@james.apache.org
For additional commands, e-mail: server-user-help@james.apache.org
Re: Bah, my idea by the people who I said needed it
Posted by bill parducci <bi...@parducci.net>.
actually, what immediately comes to mind for me is non-repudiation of
e-mail messages (finally! ;o)
b
Mark Swanson wrote:
> On December 11, 2003 6:34 pm, bill parducci wrote:
>
>>if it takes off, it should make CPU salesmen around the world happy! :o)
>
>
> I was curious so I fired up the ol' `openssl speed` test on my Athlon 2400 and
> found:
> sign verify sign/s verify/s
> rsa 512 bits 0.0015s 0.0002s 661.5 6628.4
>
> I think even 512 bits would provide a lot of value. What immediately comes to
> mind is a black hole service that would block based on digital certificates.
> Think of the ramifications of an Internet that only used authenticated SMTP
> servers, and provided feedback about spammers relatively quickly.
>
> I would be on this like a fat kid on smarties if I could afford the bandwidth
> of 10,000 machines (controlled by spammers/virus writers) constantly DoS
> attacking my global services cluster.
>
---------------------------------------------------------------------
To unsubscribe, e-mail: server-user-unsubscribe@james.apache.org
For additional commands, e-mail: server-user-help@james.apache.org
Re: Bah, my idea by the people who I said needed it
Posted by Serge Knystautas <se...@lokitech.com>.
Mark Swanson wrote:
>>What do you need it for? My understanding is that it would be something
>>like:
>>
>> - Receive message
>> - Extract signature
>> - DNS.lookup(sender.domain,"MXKEY");
>> - Verify signature
>
>
> And the last step: contact a service to see if the server is known to send
> spam. If it's on the list, refuse the email. Maybe here's a possible
> scenario:
> 1. spammer buys cert
> 2. spammer sends out 1 million emails
> 3. spammer gets blocked same day
> 4. if spammer bought < 20 certs, goto 1
> 5. verisign gets suspicious said spammer bought 20 certs over the past 20
> days. Maybe the cert authority could stop issuing certs to the spammer.
>
> It's light on detail, but maybe there is a way...
DomainKeys is being described as fighting spam, but really I think
that's more for publicity. It strictly addresses SMTP identity theft,
which then makes spam prevention techniques possible, such as the one
you suggest.
The best thing (IMO) this will do is prevent emails from PayPal saying
click here to type your credit card, or Microsoft has hand delivered
this patch to you, or AOL users need to enter their password here.
Whether you feel a business has a right to send you a promotion is at
least a gray issue to some, but fraud is a bit more clear cut.
--
Serge Knystautas
President
Lokitech >> software . strategy . design >> http://www.lokitech.com
p. 301.656.5501
e. sergek@lokitech.com
---------------------------------------------------------------------
To unsubscribe, e-mail: server-user-unsubscribe@james.apache.org
For additional commands, e-mail: server-user-help@james.apache.org
Re: Bah, my idea by the people who I said needed it
Posted by Mark Swanson <ma...@ScheduleWorld.com>.
On December 11, 2003 11:18 pm, Noel J. Bergman wrote:
> Mark Swanson wrote:
> > What immediately comes to mind is a black hole service that
> > would block based on digital certificates.
>
> What do you need it for? My understanding is that it would be something
> like:
>
> - Receive message
> - Extract signature
> - DNS.lookup(sender.domain,"MXKEY");
> - Verify signature
And the last step: contact a service to see if the server is known to send
spam. If it's on the list, refuse the email. Maybe here's a possible
scenario:
1. spammer buys cert
2. spammer sends out 1 million emails
3. spammer gets blocked same day
4. if spammer bought < 20 certs, goto 1
5. verisign gets suspicious said spammer bought 20 certs over the past 20
days. Maybe the cert authority could stop issuing certs to the spammer.
It's light on detail, but maybe there is a way...
--
Schedule your world with ScheduleWorld.com
http://www.ScheduleWorld.com/
Java Web Start (JNLP):
http://www.ScheduleWorld.com/sw/ScheduleWorld.jnlp
---------------------------------------------------------------------
To unsubscribe, e-mail: server-user-unsubscribe@james.apache.org
For additional commands, e-mail: server-user-help@james.apache.org
RE: Bah, my idea by the people who I said needed it
Posted by "Noel J. Bergman" <no...@devtech.com>.
Mark Swanson wrote:
> What immediately comes to mind is a black hole service that
> would block based on digital certificates.
What do you need it for? My understanding is that it would be something
like:
- Receive message
- Extract signature
- DNS.lookup(sender.domain,"MXKEY");
- Verify signature
All standard PKI using SMTP and the DNS. No need for a central service,
from what I understand.
--- Noel
---------------------------------------------------------------------
To unsubscribe, e-mail: server-user-unsubscribe@james.apache.org
For additional commands, e-mail: server-user-help@james.apache.org
Re: Bah, my idea by the people who I said needed it
Posted by Mark Swanson <ma...@ScheduleWorld.com>.
On December 11, 2003 6:34 pm, bill parducci wrote:
> if it takes off, it should make CPU salesmen around the world happy! :o)
I was curious so I fired up the ol' `openssl speed` test on my Athlon 2400 and
found:
sign verify sign/s verify/s
rsa 512 bits 0.0015s 0.0002s 661.5 6628.4
I think even 512 bits would provide a lot of value. What immediately comes to
mind is a black hole service that would block based on digital certificates.
Think of the ramifications of an Internet that only used authenticated SMTP
servers, and provided feedback about spammers relatively quickly.
I would be on this like a fat kid on smarties if I could afford the bandwidth
of 10,000 machines (controlled by spammers/virus writers) constantly DoS
attacking my global services cluster.
--
Schedule your world with ScheduleWorld.com
http://www.ScheduleWorld.com/
Java Web Start (JNLP):
http://www.ScheduleWorld.com/sw/ScheduleWorld.jnlp
---------------------------------------------------------------------
To unsubscribe, e-mail: server-user-unsubscribe@james.apache.org
For additional commands, e-mail: server-user-help@james.apache.org
Re: Bah, my idea by the people who I said needed it
Posted by bill parducci <bi...@parducci.net>.
if it takes off, it should make CPU salesmen around the world happy! :o)
b
sergek@lokitech.com wrote:
> I've always thought server-driven domain-based authentication was one of the most needed additions to SMTP/email.
>
> Does anyone know how we can learn more about this approach and make James compatible (and not just sendmail and qmail)?
>
> http://www.informationweek.com/story/showArticle.jhtml?articleID=16700087
---------------------------------------------------------------------
To unsubscribe, e-mail: server-user-unsubscribe@james.apache.org
For additional commands, e-mail: server-user-help@james.apache.org