On Mon, Jun 17, 2019 at 02:29:05PM -0400, Wietse Venema wrote:
> I suppose that Postfix will need to forward the OORG information
> that it received from the Microsoft server, not a name that is
> hard-coded in main.cf, and that Postfix will need to send that
> information only to systems that should receive it, not to random
> systems on the Internet.
XOORG would need to be accepted only from suitably authenticated
and authorized clients (those trusted to deliver authentic information).
XOORG feels clumsy, a cleaner choice would be DKIM, which supports
passage through untrusted relays, ... but at the cost of breaking
when the content is modified. XOORG on the other admits content
modification, ... but at the cost of requiring trusted relays.
If we're willing to generally forward DKIM signatures, I am not
sure that XOORG needs censoring on the outbound leg, when trusted
on the inbound leg.
--
Viktor.
