Re: [ietf-smtp] EHLO domain validation requirement in RFC 5321

Keith Moore <moore@network-heretics.com> Mon, 05 October 2020 01:23 UTC

Return-Path: <moore@network-heretics.com>
X-Original-To: ietf-smtp@ietfa.amsl.com
Delivered-To: ietf-smtp@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A35C33A0AEF for <ietf-smtp@ietfa.amsl.com>; Sun, 4 Oct 2020 18:23:19 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.111
X-Spam-Level:
X-Spam-Status: No, score=-2.111 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, NICE_REPLY_A=-0.213, RCVD_IN_MSPIKE_H2=-0.001, SPF_NONE=0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=messagingengine.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id OtJhtxUKT9U1 for <ietf-smtp@ietfa.amsl.com>; Sun, 4 Oct 2020 18:23:17 -0700 (PDT)
Received: from wout5-smtp.messagingengine.com (wout5-smtp.messagingengine.com [64.147.123.21]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 1ABF53A0AEB for <ietf-smtp@ietf.org>; Sun, 4 Oct 2020 18:23:16 -0700 (PDT)
Received: from compute3.internal (compute3.nyi.internal [10.202.2.43]) by mailout.west.internal (Postfix) with ESMTP id A9730B32 for <ietf-smtp@ietf.org>; Sun, 4 Oct 2020 21:23:14 -0400 (EDT)
Received: from mailfrontend2 ([10.202.2.163]) by compute3.internal (MEProxy); Sun, 04 Oct 2020 21:23:14 -0400
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d= messagingengine.com; h=content-type:date:from:in-reply-to :message-id:mime-version:references:subject:to:x-me-proxy :x-me-proxy:x-me-sender:x-me-sender:x-sasl-enc; s=fm1; bh=Dvd0Rg Bayl3UkEEifv1856xQStwG/dvgnL30bgnCl4Y=; b=AZpSi7RW1yuBhB2v8+mBnr uqT1cPuA/XSnMmig1zHjMBC1uB1uj7EDPjheah+gwNA5a0hUdVQvTwkuekBJm66l 6/De0uTprbZEFJTzkbA67NRLLbGXo4aVNRyFbpT2mcddjqHUDXpYeXpHGkwiU/0v FTGZUdzWX4lLk5VCqLWmXOmHawLP/9gcBy/bTaNg6/uVWMJkePoIf6T3XlUx3QKO RJ+jOvzg7dm8R1/upYQtG9qSbPe39drpeZc3sgts6ABWT9rsl8OUWsW4C9ZbPHdi K/A6Xm6roHoNCVJrrZa4eLKAEritrsYykUBTbmWYdsxxs97PJBah4AkkcptgDGIA ==
X-ME-Sender: <xms:fHV6X8GnPibmvOp__1vDTc0EfD3bpTcFF1eOWjbT2pOQf5uHJV1aOw> <xme:fHV6X1XvRt_YTP5K2MmSiHITrA4ITP03gB05OxInzg-NGB6ZtoVEF68Imbj7rwpAV hQDLTdredQSlQ>
X-ME-Proxy-Cause: gggruggvucftvghtrhhoucdtuddrgedujedrgedugdegjecutefuodetggdotefrodftvf curfhrohhfihhlvgemucfhrghsthforghilhdpqfgfvfdpuffrtefokffrpgfnqfghnecu uegrihhlohhuthemuceftddtnecunecujfgurhepuffvfhfhkffffgggjggtsegrtderre dtfeehnecuhfhrohhmpefmvghithhhucfoohhorhgvuceomhhoohhrvgesnhgvthifohhr khdqhhgvrhgvthhitghsrdgtohhmqeenucggtffrrghtthgvrhhnpeeuveelvdehgeetvd euheegieetuddtuedujefgueeuffekleetgefgvdehvefhhfenucfkphepuddtkedrvddv uddrudektddrudehnecuvehluhhsthgvrhfuihiivgeptdenucfrrghrrghmpehmrghilh hfrhhomhepmhhoohhrvgesnhgvthifohhrkhdqhhgvrhgvthhitghsrdgtohhm
X-ME-Proxy: <xmx:fHV6X2Kd9hsRPY8-r8RES1MJWxRDQQ3pD_B0gz69_iee2P2EzYtOkQ> <xmx:fHV6X-F6otBe8NbDzshWhG1HaqplRb6uGPGtvy6clTP6qGYTX0UW5w> <xmx:fHV6XyU8RHGhqVsVVJf6mK7cqeKxf3GLBo_Brh-DDS6wMyUxj4DN6w> <xmx:gnV6X7VSPOd3gn8GyDhAQbVZyFZluClTOSwDAC3VnKS1hWf8I75HuA>
Received: from [192.168.1.85] (108-221-180-15.lightspeed.knvltn.sbcglobal.net [108.221.180.15]) by mail.messagingengine.com (Postfix) with ESMTPA id 0A998306467E for <ietf-smtp@ietf.org>; Sun, 4 Oct 2020 21:23:07 -0400 (EDT)
To: ietf-smtp@ietf.org
References: <20201004214603.5C63B22EE214@ary.qy> <3b9f2e02-24e7-a3c6-d763-e07eb2912fb2@network-heretics.com> <cone.1601852941.177733.29744.1004@monster.email-scan.com> <ff12dbef-0ce0-ac8a-c099-122c76aacc2c@network-heretics.com> <cone.1601858064.579130.29744.1004@monster.email-scan.com>
From: Keith Moore <moore@network-heretics.com>
Message-ID: <d6b6202f-4e2c-d593-26b7-62da6a643821@network-heretics.com>
Date: Sun, 4 Oct 2020 21:23:06 -0400
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Thunderbird/68.10.0
MIME-Version: 1.0
In-Reply-To: <cone.1601858064.579130.29744.1004@monster.email-scan.com>
Content-Type: multipart/alternative; boundary="------------D10661C6B467483134D8AD40"
Content-Language: en-US
Archived-At: <https://mailarchive.ietf.org/arch/msg/ietf-smtp/Do8kUIfnJQA3egw1AIu4fRerxJM>
Subject: Re: [ietf-smtp] EHLO domain validation requirement in RFC 5321
X-BeenThere: ietf-smtp@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "Discussion of issues related to Simple Mail Transfer Protocol \(SMTP\) \[RFC 821, RFC 2821, RFC 5321\]" <ietf-smtp.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ietf-smtp>, <mailto:ietf-smtp-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ietf-smtp/>
List-Post: <mailto:ietf-smtp@ietf.org>
List-Help: <mailto:ietf-smtp-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ietf-smtp>, <mailto:ietf-smtp-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 05 Oct 2020 01:23:20 -0000

On 10/4/20 8:34 PM, Sam Varshavchik wrote:

>>> Whether it's fair, or not, if someone wishes to evaluate an 
>>> individual IP address based on its "neighborhood", a.k.a., the 
>>> hosting provider, it is their prerogative to do so. Their mail 
>>> server, their rules.
>>
>> As long as they're only handling their own mail, I'd agree.
>
> It's unclear to me how they could end up handling something that's not 
> their own mail.

That's what MSPs do - they handle mail on others' behalf.

Let me use an analogy.  If I buy Internet service from some ISP, I 
expect them to deliver the IP packets that I originate to their 
destinations, and I expect them to deliver IP packets from other sources 
to my network.   What I don't expect is that the ISP will randomly drop 
or mangle IP packets based on arbitrary criteria. The IP stack 
(including everything above IP) expects that networks will make a best 
effort to deliver packets and largely depends on that behavior.

>>> Or, if someone decides to willingly outsource their evaluation to a 
>>> third party provider, it is their prerogative to do so as well.
>>
>> Sure, though one hopes that the third party operates by published 
>> criteria that helps the client evaluate that provider's effectiveness 
>> and sanity.
>
> That's neither here, nor there. One can publish anything. Whether they 
> abide by what they publish, in practice, it's a different story. But 
> everyone should make their own decisions, for themselves.

That's not a way to get reliability or interoperability.

>
> To my knowledge, none of the widestly used, and most popular third 
> party E-mail reputation services have any kind of authoritative, 
> published manifesto about how they go about doing what they do. 
> Anything beyond very, very general and non-specific description of 
> what they're all about, and what their lofty goals are. Some are more 
> specific than others, but nobody will actually state, for the record, 
> exactly how they get from point A to point B.
>
> And that has always been the way as far as I can remember.
>
> And they are still used.

And this is precisely why email is now unreliable.

It used to be that IETF was about people trying to make the network and 
networked applications work well for everyone.   But somehow this list 
is now populated by at least a few people who are loudly defending their 
"right" to screw it up by whatever means they choose, for whatever 
reasons they choose, without having to answer to anyone for doing so.    
Assuming you have some good intention behind your arguments (and I, 
perhaps naively, expect that you really do), it's hard to see what it is.

> You are entitled to your opinion. But you need to understand that, 
> insofar as the operators of those mail servers go, they don't really 
> value your opinion that much. 

Well, I happen to think that email, as an interpersonal messaging 
service, is worth preserving.   Maybe they don't.

>> The purpose of IETF (and therefore this list) is to promote 
>> interoperability, not to degrade it or shield those who do so.
>
> And specifying how EHLO/HELO, MAIL FROM, RCPT TO, and DATA works, on a 
> purely technical level – this can't be any more interoperable than it 
> already is.
Email isn't just a protocol, it is a service.   You can conform to the 
SMTP specification to the letter and the email service still be unreliable.
>
> Whether or not someone accepts mail from someone else is a matter of 
> policy, not interoperability.

You're not even arguing for policy.   You're arguing for completely 
arbitrary behavior.

>
> Interoperability is promoted by having a rigid, unambiguous, technical 
> specification for something. That spells everything out in detail. 
> SMTP is much more interoperable than other mail protocols that better 
> be left unsaid, which had poor specs from the beginning that created 
> many interoperability headaches, for decades. As far as that goes, I 
> think that SMTP is remarkably interoperable.
>
> But I don't think there's anything technical in requiring any 
> particular validation or non-validation criteria, or a policy, for the 
> sender's IP address, or a domain, that falls outside of SMTP's strict 
> boundaries. That's a matter of policy, and not a technical 
> specification, and bears no relevance on interoperability.

Emphatically disagree.   If users can't trust that reasonable mail that 
they send to correct addresses of willing recipients will be delivered, 
email doesn't interoperate by any reasonable definition.

>
>>> Yes, they may seem to be arbitrary to an outside observer. But, they 
>>> must have merit to whoever is using that spam filter. If it didn't 
>>> have any merit, then they would not be put into place, by definition.
>>
>> I disagree.  I've seen lots of spam filtered for meritless reasons, I've
>
> You concluded that it was meritless to yourself. You did not make that 
> conclusion for anyone else.

Well, you're so busy trying to define "merit"  in a circular and 
meaningless fashion, that I don't think I could ever convince you anyway.

>
>> seen lots of examples of operators engaging in completely arbitrary 
>> behavior.
>
> Arbitrary in your eyes.

Arbitrary in users' eyes, and users are generally powerless to do 
anything about it other than maintain multiple email accounts and try 
them randomly until something works or they give up.


> This has been alluded to before, briefly. Back in the 1990s, there was 
> a rather …vocal group who proferred the notion that mail server 
> administrators have no standing to control E-mail sent or received by 
> their users. That their users had some kind of a right to receive all 
> E-mail unfettered and that mail administrators have no right, of some 
> sorts, to block it for any reason.

Some of those people were *right*, even if they didn't make their 
arguments with perfect precision.     They were arguing for a *reliable 
email network* as viewed by users.

What if telephone calls were arbitrarily blocked by the telephone 
network for no apparent reason, maybe because the caller was from a "bad 
neighborhood"?   Would people keep relying on the telephone network, or 
would they just give up?   (Sure, recipients often ignore calls for 
which the calling number isn't known to them, but that's not the network 
blocking the calls)

I do remember some of the anti-spam discussions in the 1990s and how 
chaotic and hopeless they were.   There was a tremendous amount of 
naivete among most of the participants, and a lot of belligerence among 
some, especially those trying to make a "land grab" for part of the 
space whether by patent filings or other means.    I basically bailed, 
not having the time to keep up with them, hoping that the discussions 
would get saner later.

But today is not the 1990s, and conditions are somewhat different now 
than they were then, in ways that might be useful if people actually 
want to create a reliable email service.    Of course, maybe some people 
today still stand to benefit from perpetuating the chaos that currently 
exists.

>
> No matter how much someone asserts to the contrary, the administrators 
> of mail servers will always have complete, and have the only say, as 
> to their mail servers' administrative policies. And there's nothing 
> that anyone will be able to do about it. No matter how much anyone 
> else, you or anyone else, thinks of the merits of their work. Sorry. 
> Write any requirement into the next SMTP specification, that attempts 
> to dictate policy. It won't work.

Well maybe there are some subset of MSPs that actually want to 
contribute to making email more reliable, and maybe those MSPs are 
willing to try to build consensus around policies to that end. As for 
the ones trying to sabotage mail for whatever reasons, I don't think 
IETF can do anything about them, but we can always hope that the ones 
that care about reliable service replace them.

So maybe there should be an RFC "How To Make Your Email Work Reliably If 
That's Actually What You Want To Do".   Because I think Internet email, 
at least post-821/822, is still far better at its core than every other 
messaging system out there.   Better metadata, better searching, better 
archiving, more flexibility. What has happened to Internet email is 
nothing short of tragic, and I would like to see it fixed rather than 
left to rot.

>
>> And that path leads to a thoroughly dysfunctional mail system, in 
>> which senders cannot assure the reliable delivery of mail
>
> This has never been the case, sorry.
>
> E-mail, as it stands, has never been a reliable, guaranteed message 
> delivery medium. At most, E-mail has always been on a best-effort basis.

Best-effort worked fairly well back when the biggest reasons for failure 
were bad MTA configuration (sendmail.cf files were especially 
notorious), bad DNS configuration, and persistent failure of the IP network.

Today's email is nowhere nearly a best-effort service.

>>> If it makes sense, to them, to enable EHLO domain verification 
>>> (dragging this subject matter back into the thread kicking and 
>>> screaming), then they're going to do that no matter what verbiage 
>>> remains in the successor to RFC 5321. You can take that to the bank.
>>
>>
>> Yes, people will defend their own stupidity and irresponsibility 
>> until their deathbeds.     That doesn't mean that IETF should support 
>> it.
>
> Well, I'm somewhat skeptical that they're looking for IETF's support 
> on anything. And I don't really know what "IETF should support it" 
> means in this context. Is IETF about setting everyone's mail 
> acceptance mail policies, by decree?


No, IETF is about trying to make recommendations that will facilitate 
and improve service for users.   Which seems like the opposite of what 
you're arguing for.

Keith