Viktor Dukhovni:
> On Mon, Jun 17, 2019 at 02:29:05PM -0400, Wietse Venema wrote:
>
> > I suppose that Postfix will need to forward the OORG information
> > that it received from the Microsoft server, not a name that is
> > hard-coded in main.cf, and that Postfix will need to send that
> > information only to systems that should receive it, not to random
> > systems on the Internet.
>
> XOORG would need to be accepted only from suitably authenticated
> and authorized clients (those trusted to deliver authentic information).
>
> XOORG feels clumsy, a cleaner choice would be DKIM, which supports
> passage through untrusted relays, ... but at the cost of breaking
> when the content is modified. XOORG on the other admits content
> modification, ... but at the cost of requiring trusted relays.
>
> If we're willing to generally forward DKIM signatures, I am not
> sure that XOORG needs censoring on the outbound leg, when trusted
> on the inbound leg.
The latter is simply conservative design. There is no need to forward
this information, and a receiving system might object to receiving
XOORG from a Postfix machine that isn't authorized to send it.
Wietse
