Re: [Asrg] VPNs

Alessandro Vesely <vesely@tana.it> Tue, 30 June 2009 08:54 UTC

Return-Path: <vesely@tana.it>
X-Original-To: asrg@core3.amsl.com
Delivered-To: asrg@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 95E9F3A68EA for <asrg@core3.amsl.com>; Tue, 30 Jun 2009 01:54:12 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.786
X-Spam-Level:
X-Spam-Status: No, score=-0.786 tagged_above=-999 required=5 tests=[AWL=-0.067, BAYES_00=-2.599, HELO_EQ_IT=0.635, HOST_EQ_IT=1.245]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id UohZm6I+asaq for <asrg@core3.amsl.com>; Tue, 30 Jun 2009 01:54:11 -0700 (PDT)
Received: from wmail.tana.it (wmail.tana.it [62.94.243.226]) by core3.amsl.com (Postfix) with ESMTP id D0FDB28C32C for <asrg@irtf.org>; Tue, 30 Jun 2009 01:54:06 -0700 (PDT)
Received: from mach-4.tana.it (mach-4.tana.it [194.243.254.189]) (AUTH: CRAM-MD5 ale@tana.it, TLS: TLS1.0, 256bits, RSA_AES_256_CBC_SHA1) by wmail.tana.it with esmtp; Tue, 30 Jun 2009 10:41:34 +0200 id 00000000005DC031.000000004A49CFBE.000051BC
Message-ID: <4A49CFCC.7040802@tana.it>
Date: Tue, 30 Jun 2009 10:41:48 +0200
From: Alessandro Vesely <vesely@tana.it>
User-Agent: Thunderbird 2.0.0.22 (Macintosh/20090605)
MIME-Version: 1.0
To: Anti-Spam Research Group - IRTF <asrg@irtf.org>
References: <20090623213728.1825.qmail@simone.iecc.com> <4A41D773.50508@telmon.org> <4A41E506.2010106@mines-paristech.fr> <20090624160052.B5DC62428A@panix5.panix.com> <4A426B9D.7090901@mines-paristech.fr> <4A43618A.6000205@tana.it> <20090629120826.GA6823@gsp.org>
In-Reply-To: <20090629120826.GA6823@gsp.org>
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit
Subject: Re: [Asrg] VPNs
X-BeenThere: asrg@irtf.org
X-Mailman-Version: 2.1.9
Precedence: list
Reply-To: Anti-Spam Research Group - IRTF <asrg@irtf.org>
List-Id: Anti-Spam Research Group - IRTF <asrg.irtf.org>
List-Unsubscribe: <http://www.irtf.org/mailman/listinfo/asrg>, <mailto:asrg-request@irtf.org?subject=unsubscribe>
List-Archive: <http://www.irtf.org/mail-archive/web/asrg>
List-Post: <mailto:asrg@irtf.org>
List-Help: <mailto:asrg-request@irtf.org?subject=help>
List-Subscribe: <http://www.irtf.org/mailman/listinfo/asrg>, <mailto:asrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Tue, 30 Jun 2009 08:54:12 -0000

Rich Kulawiec wrote:
> On Thu, Jun 25, 2009 at 01:37:46PM +0200, Alessandro Vesely wrote:
>> AFAIK, there is no way SMTP can be configured so that a given sending  
>> location can be whitelisted. [...]
> 
> Yes, MTAs can be configured so that a given sending location -- that is,
> IP address -- is whitelisted.  I do it all the time.  But it's not a
> very good solution, and it doesn't scale.  Moreover, it's brittle: if the
> sender's outbound mail server changes its address, then it stops working.
> Conversely, if someone else acquires that server's previous address,
> then it starts working for someone I didn't intend it to work for.
> 
> Level of work?  I think, roughly speaking, it's one or two lines of
> configuration with most MTAs.  But (as I think you're pointing out) the
> actual configuration itself isn't the issue: it's the time and effort
> that it takes to figure out what should be in the configuration, and
> then to maintain it.

Thanks for confirming that. My feeling is that we are overloading IP 
numbers with an accountability functionality that doesn't belong there.

For a different approach, there is a Message Security Level[1] SMTP 
extension that allows the above configuration to be written as

  example.com:  /SECURITY=STARTTLS

for each destination domain. That way, on can establish secure mail 
delivery channels between trusted domains, connected by an untrusted 
public network. It works by recognizing the certificates rather than 
the IP addresses. The option configured merely requires that TLS is 
used at each hop; it may be specified on the MAIL FROM command.
1: http://www.courier-mta.org/draft-varshavchik-security-smtpext.txt