Re: [apps-discuss] APPSDIR review of draft-melnikov-smtp-priority-13

S Moonesamy <> Wed, 30 May 2012 18:22 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id E043511E80E5; Wed, 30 May 2012 11:22:30 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -102.524
X-Spam-Status: No, score=-102.524 tagged_above=-999 required=5 tests=[AWL=0.075, BAYES_00=-2.599, USER_IN_WHITELIST=-100]
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id WGjRjHdD7jr5; Wed, 30 May 2012 11:22:27 -0700 (PDT)
Received: from ( [IPv6:2001:470:f329:1::1]) by (Postfix) with ESMTP id DBEE811E80B3; Wed, 30 May 2012 11:22:26 -0700 (PDT)
Received: from ([]) (authenticated bits=0) by (8.14.5/8.14.5) with ESMTP id q4UIM529018795 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Wed, 30 May 2012 11:22:16 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple;; s=mail2010; t=1338402141;; bh=lh/xUdx7aYxK4gPydZiop9V7urB/fpFriuTGvDZjXHw=; h=Date:To:From:Subject:Cc:In-Reply-To:References; b=pdigg6fHr2NFjulBuL1NpF5hClUey/ohtcCdBsBczVa892QSFWHFRXzJx13mMAezn qSmaoUA2ObIc9OgDqBMeRw1AEA9Aw68J1GNeFypl4+QVGPfxD48f9NGaXXRyYHvvAe Cw+etDC8KgIwrBJHFFVat7CORegGsMGMkOjO+jR4=
DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple;; s=mail; t=1338402141;; bh=lh/xUdx7aYxK4gPydZiop9V7urB/fpFriuTGvDZjXHw=; h=Date:To:From:Subject:Cc:In-Reply-To:References; b=AdAfwGIAq1E1WnwK9XOHW21iKFp65Fs+9LD8Wz0kVejNce1f4TBPr84u5kb6tvv/V 32+bULROWKSWUlHi+Q7vrAsS3Z7diX8u68HRauSOdwi2shD/0WQM0FNpup9h/+lmZx 6j/oKDZtQ1WTfyMeuYFKMaje8tTwsOfehmcJxFjA=
Message-Id: <>
X-Mailer: QUALCOMM Windows Eudora Version
Date: Wed, 30 May 2012 11:17:46 -0700
To: Alexey Melnikov <>
From: S Moonesamy <>
In-Reply-To: <>
References: <> <> <> <>
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"; format="flowed"
Cc: Pete Resnick <>,, Barry Leiba <>,,
Subject: Re: [apps-discuss] APPSDIR review of draft-melnikov-smtp-priority-13
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: General discussion of application-layer protocols <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Wed, 30 May 2012 18:22:31 -0000

Hi Alexey,

[fixed incorrect alias]

At 10:07 30-05-2012, Alexey Melnikov wrote:
>I mostly used the current wording to avoid discussing what is 
>authentication. I didn't mean "authentication with SMTP AUTH", 
>because authentication by IP address is quite common (and sufficient 
>in some environments).

For context, Section 10 of draft-melnikov-smtp-priority-14 states that:

   "Message Submission Agents MUST implement a policy that only allows
    authenticated users (or only certain groups of authenticated users)
    to specify message transfer priorities, and MAY restrict maximum
    priority values different groups of users can request, or MAY
    override the priority values specified by MUAs."

And in the last paragraph of that section:

   "In the absence of the policy enforcement mentioned above an SMTP
    server (whether an MSA or an MTA) implementing this extension might
    be susceptible to a Denial of Service attack."

You have "authenticated and trusted senders" in the second paragraph; 
you could use that.  Barry mentioned that authenticated does not mean 
SMTP AUTH [1].  Section 3.3 if RFC 6409 discusses about authorized 
submission.  I could argue that MSAs usually enforce authorized 
submission.  The second sentence suggested by Barry might capture 
some of your intent in my opinion:

   "As part of this policy, they can also restrict maximum priority values
    that different groups of users can request, and can override the priority
    values specified by MUAs."

The alternatives, as I see it, for the first sentence are:

  (a) Do you want people to go and write code so that the site administrator
      can enforce such a policy?

  (b) Do you want people to "think" about this as a security consideration?

  (c) Do you want to enjoy the summer weather instead of generating more
      mail traffic?

S. Moonesamy