Re: [Asrg] DNSBL and IPv6

[Paul Smith <paul@pscs.co.uk>]

On 25/10/2012 13:14, Martijn Grooten wrote:
> Can't we do something entirely different for IPv6? Like, use domain-based filtering by making it mandatory to DKIM-sign a message you send over IPv6 outside of your network? As long as IPv4 and IPv6 are running in parallel it should be possible for IPv6 MTA to refuse messages that aren't DKIM-signed - and tell the sender to retry over IPv4
Is it even possible to tell an IPv6 sender to retry over IPv4? I know 
I've seen discussion about whether it should be possible, but I'm fairly 
sure it wasn't at that time (I think it should be possible)

Having a 'retry over IPv4' option would help a lot, especially if we had 
a mechanism to link an IPv6 and an IPv4 attempt - could be a good way of 
bootstrapping an IPv6 reputation system (or whitelist). But, I'm not 
sure the IETF would approve, and it may be too late anyway...

I do think that (with hindsight) IPv6 support for MTAs could have done 
with more thought before it was standardised. Things like requiring DKIM 
(or SPF or some new equivalent) and mechanisms to fallback to IPv4 may 
have been good things to enforce in an IPv6 world so being a mandatory 
part of 'SMTPv6' rather than options as we'd have to do now. MTA SMTP is 
a totally different world from pretty much everything else IP because 
although deployment is very widespread the actual number of legitimate 
MTAs is tiny compared to the rest of the Internet connected stuff, and 
SMTP is also quite vulnerable to 'legitimate attacks' unlike other 
protocols (eg most spam is sent by doing everything according to the 
standards, not by trying to find loopholes in it). IPv6 could have been 
the place to build a 'safe new SMTP world', but that opportunity is 
pretty much gone now :-(



-

Paul Smith Computer Services
Tel: 01484 855800
Vat No: GB 685 6987 53