[ietf-smtp] EHLO domain validation requirement in RFC 5321

Sam Varshavchik <mrsam@courier-mta.com> Fri, 18 September 2020 22:36 UTC

Return-Path: <mrsam@courier-mta.com>
X-Original-To: ietf-smtp@ietfa.amsl.com
Delivered-To: ietf-smtp@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 82D563A09B0 for <ietf-smtp@ietfa.amsl.com>; Fri, 18 Sep 2020 15:36:24 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.9
X-Spam-Level:
X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id G7Z9_bKnq-6X for <ietf-smtp@ietfa.amsl.com>; Fri, 18 Sep 2020 15:36:23 -0700 (PDT)
Received: from mailx.courier-mta.com (mailx.courier-mta.com [68.166.206.83]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 3CA273A0995 for <ietf-smtp@ietf.org>; Fri, 18 Sep 2020 15:36:22 -0700 (PDT)
Received: from monster.email-scan.com (monster.email-scan.com [::ffff:192.168.0.2]) (TLS: TLSv1.3,256bits,TLS_AES_256_GCM_SHA384) by www.courier-mta.com with UTF8ESMTPS id 00000000002C0014.000000005F653663.000123CB; Fri, 18 Sep 2020 18:36:19 -0400
Received: from monster.email-scan.com (localhost [127.0.0.1]) (IDENT: uid 1004) by monster.email-scan.com with UTF8SMTP id 000000000001C7C8.000000005F653663.0002BBE1; Fri, 18 Sep 2020 18:36:19 -0400
Message-ID: <cone.1600468578.784468.161845.1004@monster.email-scan.com>
X-Mailer: http://www.courier-mta.org/cone/
From: Sam Varshavchik <mrsam@courier-mta.com>
To: ietf-smtp@ietf.org
Date: Fri, 18 Sep 2020 18:36:18 -0400
Mime-Version: 1.0
Content-Type: multipart/signed; boundary="=_monster.email-scan.com-161845-1600468578-0001"; micalg=pgp-sha1; protocol="application/pgp-signature"
Archived-At: <https://mailarchive.ietf.org/arch/msg/ietf-smtp/ABAL9xbBFTTlZ83lmU5XpyRRGPE>
Subject: [ietf-smtp] EHLO domain validation requirement in RFC 5321
X-BeenThere: ietf-smtp@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "Discussion of issues related to Simple Mail Transfer Protocol \(SMTP\) \[RFC 821, RFC 2821, RFC 5321\]" <ietf-smtp.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ietf-smtp>, <mailto:ietf-smtp-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ietf-smtp/>
List-Post: <mailto:ietf-smtp@ietf.org>
List-Help: <mailto:ietf-smtp-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ietf-smtp>, <mailto:ietf-smtp-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 18 Sep 2020 22:36:25 -0000

RFC 5321 declares:

#  An SMTP server MAY verify that the domain name argument in the EHLO
#  command actually corresponds to the IP address of the client.
#  However, if the verification fails, the server MUST NOT refuse to
#  accept a message on that basis.

It's been my experience that this is frequently ignored in practice: in  
varying ways whatever is seen in EHLO gets validated against DNS and if  
found to be unacceptable mail gets rejected based solely on that criteria.  
This is not a very popular thing to do overall; but it is not a rarity  
either, and I hear about this regularly. This very own E-mail was prompted  
by a thread on my mailing list from someone who had this happen to them this  
week. I don't know how common this practice is, but it's not uncommon.

Courier has an optional setting that can be enabled, that verifies that "the  
domain name argument in the EHLO command actually correspond to the IP  
address". I have it enabled. It's one of my most successful spam filters.  
It's very valueable to me. It's possible that there were one or two  
instances in the last 25 or so years when I found out that this rejected  
something that wasn't junk, but I don't immediately recall a single one.  
I'll stipulate that there might've been one or two times, and that's a  
pretty good record.

I have no specific knowledge about other MTAs capabilities, but I suspect  
that many of them (at least the non-commercial ones) offer something similar  
in nature.

I think that the "MUST NOT", in there, should be, at the most, a "MAY NOT".  
The only situation where MUST NOT makes sense in my eyes would be someone  
who's already authenticated; a mail client on port 587.

I don't recall anyone flaming me in the aforementioned last 25 or so years,  
accusing me of violating the SMTP standard because I rejected whatever they  
deemed was so important to email to me and that I was obligated to read it.  
Maybe it happened, once or twice, I don't remember. But if someone did, I  
would've responded like this: you are absolutely right, and then end the  
conversion without any follow-up.

If I emailed someone and it bounced back because of this, it would never  
cross my mind complain about it. It's their mail server. Their rules.

Then there's also this part:

#  o  The domain name given in the EHLO command MUST be either a primary
#     host name (a domain name that resolves to an address RR) or, if
#     the host has no name, an address literal, as described in
#     Section 4.1.3 and discussed further in the EHLO discussion of
#     Section 4.1.4.

Not sure how to square this away. If it's a MUST, and this fails this test,  
it seems to me that a mail server is no longer under any obligation to  
continue to attempt to do something useful with a sender that does not  
comply with this RFC. But this requirement conflicts with the other  
requirement. I do not see how to reconcile these conflicting assertions.  
Either it is permissible to disengage from a non-compliant client, or not.  
Both can't be true.

As a side note, I wasn't sure whether I want to mention this at all. It's  
actually against my self-interest to do so. After all, if this gets changed  
and becomes compliant behavior, and EHLO/HELO domain name validation becomes  
more prevalent: the spam factories will surely notice, adjust, and this spam  
filtering technique will become much less effective.