IETF Logo Mail Archive

Re: [ietf-smtp] Endless debate on IP literals

"John R Levine" <johnl@taugh.com> Wed, 01 January 2020 19:34 UTC

Return-Path: <johnl@taugh.com>
X-Original-To: ietf-smtp@ietfa.amsl.com
Delivered-To: ietf-smtp@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id F0ABD120099 for <ietf-smtp@ietfa.amsl.com>; Wed, 1 Jan 2020 11:34:19 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2
X-Spam-Level:
X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1536-bit key) header.d=iecc.com header.b=fiu+v4lG; dkim=pass (1536-bit key) header.d=taugh.com header.b=hgY9KZ48
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id HoW-rea0xuzW for <ietf-smtp@ietfa.amsl.com>; Wed, 1 Jan 2020 11:34:18 -0800 (PST)
Received: from gal.iecc.com (gal.iecc.com [IPv6:2001:470:1f07:1126:0:43:6f73:7461]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 9FCF01200D8 for <ietf-smtp@ietf.org>; Wed, 1 Jan 2020 11:34:18 -0800 (PST)
Received: (qmail 86916 invoked from network); 1 Jan 2020 19:34:16 -0000
DKIM-Signature: v=1; a=rsa-sha256; c=simple; d=iecc.com; h=date:message-id:from:to:cc:subject:in-reply-to:references:mime-version:content-type:user-agent; s=15382.5e0cf438.k2001; i=johnl-iecc.com@submit.iecc.com; bh=f9Ylyn47TWdftRC/XeT/y36ENQuaUoP2cIemVj9cNAs=; b=fiu+v4lGsUcPR7nJiBjvGU76QT1e95WrzPELhxvsD2mhVW6sJK4YaoqXB5dL5IRD+s64K3PmUOWxfuvDsOWeZME5sabxJpqNTWMO9FXnXkHPW8MR141+0V8HwHDE/v8wXQX2gDK/q/dy8r7mNsJ5ZKz6XfFnRONvGC3OeiFIWduflM+92s/6nQtKIn4hIsO5v4pzgD7CgAuWcss8mkQDq5IeNnsOJ0bKRp6NFJQE20vouhwIjw8lCLVJ1tQ0NbF3
DKIM-Signature: v=1; a=rsa-sha256; c=simple; d=taugh.com; h=date:message-id:from:to:cc:subject:in-reply-to:references:mime-version:content-type:user-agent; s=15382.5e0cf438.k2001; olt=johnl-iecc.com@submit.iecc.com; bh=f9Ylyn47TWdftRC/XeT/y36ENQuaUoP2cIemVj9cNAs=; b=hgY9KZ48zee0FpmzYgPZwJoDNsZ/DSLVBCE0NDxKxRmyFv1sQxVm1pFs3mhtlXyTVclIdcyOGIiz5ivoKuku03l9CoPZdPAghmmy/Tux2+u8eOZXHv6Qb+tL7tq5GNrpbjTjIK3XFUNS1WOVqTl66cS5sYzo3PoG8oLK2WGiyou82n1jO/5PH5fmmlBnXIpRN5ThVjg+qrl0vwSGg/aoQBp/lfpNw8lZhWRwQNvCKXRX0PhF9RkpedIgZU2rG0S9
Received: from localhost ([IPv6:2001:470:1f07:1126::78:696d:6170]) by imap.iecc.com ([IPv6:2001:470:1f07:1126::78:696d:6170]) with ESMTPSA (TLS1.3 ECDHE-RSA AES-256-GCM AEAD, johnl@iecc.com) via TCP6; 01 Jan 2020 19:34:16 -0000
Date: Wed, 01 Jan 2020 14:34:16 -0500
Message-ID: <alpine.OSX.2.21.99999.374.2001011410220.53128@ary.qy>
From: John R Levine <johnl@taugh.com>
To: Keith Moore <moore@network-heretics.com>
Cc: ietf-smtp@ietf.org
In-Reply-To: <64f30fa9-ab2a-fe48-f324-426ed48b7091@network-heretics.com>
References: <20200101183846.38F7811E2E72@ary.qy> <64f30fa9-ab2a-fe48-f324-426ed48b7091@network-heretics.com>
User-Agent: Alpine 2.21.99999 (OSX 374 2019-10-27)
MIME-Version: 1.0
Content-Type: multipart/mixed; boundary="0-1501987096-1577907256=:53128"
Archived-At: <https://mailarchive.ietf.org/arch/msg/ietf-smtp/LeTnRdnxFDuv0FdGvBkN_ltmBkg>
Subject: Re: [ietf-smtp] Endless debate on IP literals
X-BeenThere: ietf-smtp@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "Discussion of issues related to Simple Mail Transfer Protocol \(SMTP\) \[RFC 821, RFC 2821, RFC 5321\]" <ietf-smtp.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ietf-smtp>, <mailto:ietf-smtp-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ietf-smtp/>
List-Post: <mailto:ietf-smtp@ietf.org>
List-Help: <mailto:ietf-smtp-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ietf-smtp>, <mailto:ietf-smtp-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 01 Jan 2020 19:34:20 -0000

On Wed, 1 Jan 2020, Keith Moore wrote:
> In my mind the question is: how to explain to ordinary operators, 
> administrators, IoT device vendors, etc. how to make this work well?    If 
> someone is developing an IoT device that needs to send mail, what is that 
> device required to do, what configuration options should it offer, etc.?

A BCP for submission configuration advice wouldn't be a bad idea.  I don't 
think it needs to be very complicated but you're right that stuff that 
seems obvious to us is not to other people.  I don't know much about 
embedded environments but I think we could suggest some best practices, 
e.g., if the recipient needs the IP address of the sending device, put it 
in the message and don't depend on recovering it from the envelope or From 
header.

R's,
John

PS:

> p.s. I somehow doubt that we should recommend authentication based only on IP 
> address at any level, though.    That's poor practice even for a small 
> network that assigns static IP addresses to all of its hosts.   More broadly 
> there's a widespread misconception that isolated networks are not subject to 
> security threats or that perimeter defenses are sufficient to protect them,

It sounds like you may be conflating "authenticated" and "good".  The 
point of authenticating submissions is so that you know where they're 
coming from, and you're not an open relay for every random hostile host in 
the world, not that you know it's mail the recipient wants.  A device can 
be compromised or just have a bug and suddenly decide that it has 86,400 
overdue update messages it needs to send right now through its 100% 
authenticated submission channel.  That's why submission servers need 
sanity checks on the mail they handle.

v2.23.0 | Report a Bug | By Email