Re: [ietf-smtp] EHLO domain validation requirement in RFC 5321

John C Klensin <john@jck.com> Sun, 27 September 2020 16:36 UTC

Return-Path: <john@jck.com>
X-Original-To: ietf-smtp@ietfa.amsl.com
Delivered-To: ietf-smtp@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 6A8A43A0925 for <ietf-smtp@ietfa.amsl.com>; Sun, 27 Sep 2020 09:36:49 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.897
X-Spam-Level:
X-Spam-Status: No, score=-1.897 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, SPF_HELO_NONE=0.001, SPF_NONE=0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 6gG1yYoUzoEo for <ietf-smtp@ietfa.amsl.com>; Sun, 27 Sep 2020 09:36:48 -0700 (PDT)
Received: from bsa2.jck.com (bsa2.jck.com [70.88.254.51]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 20F513A0922 for <ietf-smtp@ietf.org>; Sun, 27 Sep 2020 09:36:47 -0700 (PDT)
Received: from [198.252.137.10] (helo=PSB) by bsa2.jck.com with esmtp (Exim 4.82 (FreeBSD)) (envelope-from <john@jck.com>) id 1kMZfI-000MRH-ME; Sun, 27 Sep 2020 12:36:44 -0400
Date: Sun, 27 Sep 2020 12:36:38 -0400
From: John C Klensin <john@jck.com>
To: John R Levine <johnl@taugh.com>, Keith Moore <moore@network-heretics.com>, ietf-smtp@ietf.org
Message-ID: <524505CF8F2AED906ABA4810@PSB>
In-Reply-To: <46d012a7-f938-741b-95dc-23d37a26cb39@taugh.com>
References: <20200927052221.E0A1A21D3A2D@ary.qy> <198daf90-b3dd-de01-88a0-e9d961feddda@network-heretics.com> <9ad77523-9c98-2249-d01c-80ecc6a96fa@taugh.com> <5e0239fb-9511-c8ae-e4a4-62b9caa2c861@network-heretics.com> <46d012a7-f938-741b-95dc-23d37a26cb39@taugh.com>
X-Mailer: Mulberry/4.0.8 (Win32)
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Content-Disposition: inline
X-SA-Exim-Connect-IP: 198.252.137.10
X-SA-Exim-Mail-From: john@jck.com
X-SA-Exim-Scanned: No (on bsa2.jck.com); SAEximRunCond expanded to false
Archived-At: <https://mailarchive.ietf.org/arch/msg/ietf-smtp/C1fb1zr9EoiGpqCtPfUBb_8_tQc>
Subject: Re: [ietf-smtp] EHLO domain validation requirement in RFC 5321
X-BeenThere: ietf-smtp@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "Discussion of issues related to Simple Mail Transfer Protocol \(SMTP\) \[RFC 821, RFC 2821, RFC 5321\]" <ietf-smtp.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ietf-smtp>, <mailto:ietf-smtp-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ietf-smtp/>
List-Post: <mailto:ietf-smtp@ietf.org>
List-Help: <mailto:ietf-smtp-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ietf-smtp>, <mailto:ietf-smtp-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 27 Sep 2020 16:36:49 -0000


--On Sunday, September 27, 2020 11:40 -0400 John R Levine
<johnl@taugh.com> wrote:

>> I would say instead that because some subset of inbound MTAs
>> do EHLO  verification, "real mail servers" (i.e. those which
>> manage to continue to  deliver mail with some reliability)
>> are forced to have static IPv4 source  addresses for which
>> PTR lookup results match EHLO arguments.
> 
> No, we've observed in practice that hosts that don't have
> matching PTRs are spambots.
>...
>>> Anything that comes from a dynamic or NAT pool is invariably
>>> spam from a  botnet.
>...

John,

(as with Keith earlier comment, this is not intended to be a
rant, but might come out sounding that way)

This is a self-fulfilling prophecy which gets back to Keith's
comment about resources.  In order to run an SMTP client or
server with any of the three ISPs I've dealt with recently, and
do so without violating the contracts they impose, I first have
to obtain a business account which is not much different from a
residential account other than costing three or four times as
much.  Because the anti-spam powers that be don't think I should
be running either an SMTP server or a client on dynamic
addresses (even if I have dynamic DNS set up properly and
appropriate MX arrangements), I have to then obtain one or more
static addresses from said ISP and the costs of those are not
going down [1].   And, since the idea of delegating
reverse-mapping ranges on bit boundaries failed, once one has
those static addresses, one than has to convince the ISP to
provide the correct reverse mapping.  That, too, has costs -
either in terms of money or in efforts to negotiate.  There may
be ISPs out there who, upon supplying a static address  or
address range inquire how one would like the reverse mapping
records to read, or even insist on getting that information, but
I haven't encountered one yet.

So, if the goal, however unintentionally, is to further reduce
the number of independent (and legitimate) SMTP clients and
servers, and force those without extensive resources to shift
over to large and dominant email providers, perhaps we are on
track.

> It would be nice if mail still worked the way it did 30 years
> ago, but that was most definitely then, and this is now.

And, from the standpoint of those large providers, the fight
against spam and other sorts of evil behavior would be ever so
much easier if they had only a handful of other providers to
work with s.t. anything not coming from one of them was suspect.
Of course, the way DMARC was developed and deployed might be
believed to reflect exactly that attitude.

    john


[1] I don't know that I believe it but I've heard it suggested
that some ISPs are doing less than they might to encourage IPv6
adoptions because they couldn't get away with charging nearly as
much for static addresses in that space.