Re: [ietf-smtp] How wrong is this EAI implementation

Ned Freed <ned.freed@mrochek.com> Sun, 21 June 2020 17:43 UTC

Return-Path: <ned.freed@mrochek.com>
X-Original-To: ietf-smtp@ietfa.amsl.com
Delivered-To: ietf-smtp@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 1A3063A078C for <ietf-smtp@ietfa.amsl.com>; Sun, 21 Jun 2020 10:43:35 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.099
X-Spam-Level:
X-Spam-Status: No, score=-2.099 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=mrochek.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Au58dOzn-cPL for <ietf-smtp@ietfa.amsl.com>; Sun, 21 Jun 2020 10:43:34 -0700 (PDT)
Received: from plum.mrochek.com (plum.mrochek.com [172.95.64.195]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id F1A043A0789 for <ietf-smtp@ietf.org>; Sun, 21 Jun 2020 10:43:33 -0700 (PDT)
Received: from dkim-sign.mauve.mrochek.com by mauve.mrochek.com (PMDF V6.1-1 #35243) id <01RMC0518BFK007F0U@mauve.mrochek.com> for ietf-smtp@ietf.org; Sun, 21 Jun 2020 10:38:30 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=mrochek.com; s=201712; t=1592761110; bh=qcl6Nkh32kwYLl6aO9Rb5IJnqLCZw0LzpYK00Y8cUvU=; h=Cc:Date:From:Subject:In-reply-to:References:To:From; b=OxOr84lNxBmvk6n/k3UK0b/ZqNUqrT/toprYPyCU9olBIliwEnQJelGs/r8kHABqX Jmujz/3yfrcZd808Son60PLvBqtJcsGFEVuo3f1B435iqICHb4EL86ZZrnSE6KhjKW SHrYpJ4yRscXEK38TYyb/PmegbVNPsv49cMULUsE=
MIME-version: 1.0
Content-transfer-encoding: 7BIT
Content-type: TEXT/PLAIN; CHARSET=us-ascii
Received: from mauve.mrochek.com by mauve.mrochek.com (PMDF V6.1-1 #35243) id <01RMAJ0TT71S000059@mauve.mrochek.com>; Sun, 21 Jun 2020 10:38:28 -0700 (PDT)
Cc: ietf-smtp@ietf.org, arnt@gulbrandsen.priv.no
Message-id: <01RMC04ZTHFU000059@mauve.mrochek.com>
Date: Sun, 21 Jun 2020 10:11:48 -0700 (PDT)
From: Ned Freed <ned.freed@mrochek.com>
In-reply-to: "Your message dated Sun, 21 Jun 2020 10:53:42 -0400" <20200621145342.7364B1B4460D@ary.qy>
References: <kzlyExy/3YBZVUSNURxDqMLjYwWYAVGpn6yogCjhITg=.sha-256@antelope.email> <20200621145342.7364B1B4460D@ary.qy>
To: John Levine <johnl@taugh.com>
Archived-At: <https://mailarchive.ietf.org/arch/msg/ietf-smtp/28IkSpfOav94Ltjh9ifKhx9rUZQ>
Subject: Re: [ietf-smtp] How wrong is this EAI implementation
X-BeenThere: ietf-smtp@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "Discussion of issues related to Simple Mail Transfer Protocol \(SMTP\) \[RFC 821, RFC 2821, RFC 5321\]" <ietf-smtp.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ietf-smtp>, <mailto:ietf-smtp-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ietf-smtp/>
List-Post: <mailto:ietf-smtp@ietf.org>
List-Help: <mailto:ietf-smtp-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ietf-smtp>, <mailto:ietf-smtp-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 21 Jun 2020 17:43:35 -0000

> In article <kzlyExy/3YBZVUSNURxDqMLjYwWYAVGpn6yogCjhITg=.sha-256@antelope.email> you write:

> > I note that there is no explicit requirement to treat incoming a-labels
> > as equivalent with u-labels anywhere in the EAI RFCs. Which means that
> > you can convert labels before sending, but you cannot rely on the
> > receiver to interpret the result as desired.

The EAI documents repeatedly refer to there being two different "forms" for
domains, u-label and a-label. The only reasonable interpreration of such
statements is that the they are equivalent. RFC 6531 even goes so far as to
say that u-labels form should be used when the SMTPUTF8 extension is available,
a-label form when it isn't.

Additionally, the point that always seems to be elided in these discussions is
that MTAs do NOT have the luxury of treating addresses as opaque strings.
Elimination of duplicate addresses, alias lookup, and canonicalization  of
local address forms are all things that MTAs do routinely, and all of them
require at a minimum the ability to compare addresses and get correct results.
This combined with the "mutiple forms" notion in the documents leaves very
little wiggle room for implementers, explicit requirements or not.

And yes, it's a bit of a PITA to code.

> I don't think that 5321 requires that bob@example.com and bob@EXAMPLE.COM
> be treated the same, either.

Section 2.4 explicitly says domains are case-insensitive. Not a lot of wiggle
room here either.

> Beyond some point, you can't force people to be reasonable.

No, but I think you can make a case that any implementation that fails to treat
the forms as equialent is incompliant.

> In the particular case I mentioned, my MTA is Courier which treats
> A-labels and U-labels equivalently in mail addresses, but not in
> identifiers for authentication.  It was easy enough to add both versions
> to the identifer table, but I think I'm going to send a bug report to
> roundcube.

Yet another case where comparisons are unavoidable.

				Ned