"J.A. Terranson" <measl@mfn.org> wrote:
Everyone sends to the node of their choice, the node sends to a broadcast repeater that knows the source, and sends to everyone else, after stipping any mailman specific things like tags, etc. The down side to this kind of dumb repeater is in the case of outages - the repeater will not know (or would it? I need to look at this in postfix) what to forward.
As far as I can tell this doesn't (yet) solve the problem of whitelisting subscribers to other nodes. However, we can add one more step and solve this: when a node receives an email from the repeater whose sender is a member of the node's local subscriber list, it bounces the message back to the repeater with an added header saying, in effect, "I vouch for this sender." Other nodes employing sender whitelisting would ignore the first email, since its sender isn't locally whitelisted and it lacks the aforementioned node-auth header, but would presumably forward the second email, assuming they chose to trust the node that is vouching for the sender. Nodes with no whitelisting policy could safely ignore the second email by filtering out duplicate msgids or something similar. I'm not totally in love with the master repeater scheme, though. Notwithstanding my previous comments regarding the supposed threat model behind the CDR's original conception, as long as we're paying the fixed cost of setting up a new system we may as well get *some* additional reliability out of it, right? -=rsw