IETF Logo Mail Archive

Re: [ietf-smtp] Possible cont4ibution to moving forward with RFC5321bis SMTP

Keith Moore <moore@network-heretics.com> Tue, 31 December 2019 18:23 UTC

Return-Path: <moore@network-heretics.com>
X-Original-To: ietf-smtp@ietfa.amsl.com
Delivered-To: ietf-smtp@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 501CB12001A for <ietf-smtp@ietfa.amsl.com>; Tue, 31 Dec 2019 10:23:39 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.598
X-Spam-Level:
X-Spam-Status: No, score=-2.598 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_NONE=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=messagingengine.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 9EJDysVa4wYM for <ietf-smtp@ietfa.amsl.com>; Tue, 31 Dec 2019 10:23:36 -0800 (PST)
Received: from out3-smtp.messagingengine.com (out3-smtp.messagingengine.com [66.111.4.27]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 297A5120019 for <ietf-smtp@ietf.org>; Tue, 31 Dec 2019 10:23:36 -0800 (PST)
Received: from compute6.internal (compute6.nyi.internal [10.202.2.46]) by mailout.nyi.internal (Postfix) with ESMTP id 7AFAB2227E; Tue, 31 Dec 2019 13:23:34 -0500 (EST)
Received: from mailfrontend2 ([10.202.2.163]) by compute6.internal (MEProxy); Tue, 31 Dec 2019 13:23:34 -0500
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d= messagingengine.com; h=content-type:date:from:in-reply-to :message-id:mime-version:references:subject:to:x-me-proxy :x-me-proxy:x-me-sender:x-me-sender:x-sasl-enc; s=fm1; bh=0FyHa0 aHUcictgimzB50GAmeXAx9tKbudrCBwqE7QDE=; b=Wb+jQ1HuNKhkwlorTf8SNH KNoAEHn212t74kSR0fytjQlxMr8ZJY4LYwHh9j6gIaCk2ut5jo9VPrSAsFDlgka+ cbB65ugpdUeJtvIwDUvANAKCBwknPYpkdO69NOVnCXVIzfcZsvzHZgs1ov8jt00D D+uFy4u3Kj2IbqpGp7C9JpvOsL5/lx3pYxg8qGnaUzT77fi70DuD/pknz4pYghEh uZwGBGg8+0SFhl1/D1UCFtl08Y7vJVGvbhWxuBWA7DG7OOiz+kOPg1nEDbQonk0R 3tFLQIKpmUV3mx3FjQmnffvh89cqPpzsTnDlO4Gl6gJ32t0RpbyT7JxV2NO6CscQ ==
X-ME-Sender: <xms:JpILXvccq5rFluoDuIMmnk16IgTuJhcshEfCRN-2MqV1Uv-2AZZiZQ>
X-ME-Proxy-Cause: gggruggvucftvghtrhhoucdtuddrgedufedrvdefjedguddutdcutefuodetggdotefrod ftvfcurfhrohhfihhlvgemucfhrghsthforghilhdpqfgfvfdpuffrtefokffrpgfnqfgh necuuegrihhlohhuthemuceftddtnecunecujfgurhepuffvfhfhkffffgggjggtsegrtd erredtfeejnecuhfhrohhmpefmvghithhhucfoohhorhgvuceomhhoohhrvgesnhgvthif ohhrkhdqhhgvrhgvthhitghsrdgtohhmqeenucfkphepuddtkedrvddvuddrudektddrud ehnecurfgrrhgrmhepmhgrihhlfhhrohhmpehmohhorhgvsehnvghtfihorhhkqdhhvghr vghtihgtshdrtghomhenucevlhhushhtvghrufhiiigvpedt
X-ME-Proxy: <xmx:JpILXg4POIlfAenR1AnWSPQvB_oNicXq21zfpjx-73qFXWigDYIiXQ> <xmx:JpILXjNWlWvNXFyaBNeuDvAgEjBEqmv8GrIwAc2_lTmlmx-kmXUgwA> <xmx:JpILXh7NNXl9tfUcRAEscYZLQDRk9FFx3fjcCKtmXEPCXhMVbfpipg> <xmx:JpILXuJF-Nez5tNjaBjh8QnTElIu4Bjo_o3TYnAcNEmn44OlwVjHuA>
Received: from [192.168.1.97] (108-221-180-15.lightspeed.knvltn.sbcglobal.net [108.221.180.15]) by mail.messagingengine.com (Postfix) with ESMTPA id CDA5630608E0; Tue, 31 Dec 2019 13:23:33 -0500 (EST)
To: ietf-smtp@ietf.org
References: <20191230013034.2C3E111D376E@ary.qy> <f894c448-ac91-6d27-98d6-0803de4ea535@network-heretics.com> <alpine.OSX.2.21.99999.374.1912292129450.44159@ary.qy> <d3dc48b0-332b-c2fe-704a-d6dc69eb5424@network-heretics.com> <5E0B8658.2060703@isdg.net>
From: Keith Moore <moore@network-heretics.com>
Message-ID: <fc8d4d71-39a4-6ca0-608a-d2113b206c5f@network-heretics.com>
Date: Tue, 31 Dec 2019 13:23:30 -0500
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Thunderbird/60.9.0
MIME-Version: 1.0
In-Reply-To: <5E0B8658.2060703@isdg.net>
Content-Type: multipart/alternative; boundary="------------4B389851A3310563F0FA0E67"
Content-Language: en-US
Archived-At: <https://mailarchive.ietf.org/arch/msg/ietf-smtp/hlnrzrbIMM3MaNAlGO2_QpyOT-4>
Subject: Re: [ietf-smtp] Possible cont4ibution to moving forward with RFC5321bis SMTP
X-BeenThere: ietf-smtp@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "Discussion of issues related to Simple Mail Transfer Protocol \(SMTP\) \[RFC 821, RFC 2821, RFC 5321\]" <ietf-smtp.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ietf-smtp>, <mailto:ietf-smtp-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ietf-smtp/>
List-Post: <mailto:ietf-smtp@ietf.org>
List-Help: <mailto:ietf-smtp-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ietf-smtp>, <mailto:ietf-smtp-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 31 Dec 2019 18:23:39 -0000

On 12/31/19 12:33 PM, Hector Santos wrote:

> I have two SMTP compliancy-based deterministic filters:
>
> - Machine name ip-literal matching connecting ip because SMTP tells us 
> it is defined as the IP address of the connecting client, and

This is something that should be clarified in 5321bis, IMO.   The IP 
address literal is the address as seen by the client, which in an IPv4 
world with increasing numbers of NATs can't be guaranteed to be the 
address as seen by the server.  And as long as people keep using IPv4, 
there will be NATs in the middle of the network.

So if an IP address literal is used in HELO/EHLO, it MUST (or at least 
SHOULD) be the source IP address of the current TCP connection as seen 
by the client.   The HELO/EHLO tag will then get copied to a Received 
header field.   But because of NATs, servers therefore SHOULD NOT (maybe 
MUST NOT) refuse mail based on whether the EHLO/HELO address matches the 
peer address.   (The only case I can think of that makes sense for 
rejecting such mail is if the server somehow has reliable out-of-band 
information that the client is lying about its address.   It's not 
impossible, but it's difficult to imagine how this could happen.)

And while clients SHOULD use a DNS name in HELO/EHLO if they have one, 
not all SMTP clients can be expected to have a DNS name.   So servers 
SHOULD NOT (maybe MUST NOT) reject mail based on the mere presence or 
absence of an IP address literal in HELO/EHLO.   It would be insane for 
a standard to make a recommendation that degrades the reliability of the 
service it provides.

Having said that, if a server operator /reliably/ knows that use of an 
IP address literal in HELO/EHLO is /currently/ a /reliable//indication/ 
of spam, it might make sense to filter based on that use.   The keys are 
in /reliably/ knowing that, knowing that it is a /reliable indication/, 
and knowing that the indication is /currently/ reliable. The operator 
might also have other information of use - such as knowing the community 
of people who can legitimately send mail to the server, and how they 
configure their servers [*].   If an operator knows those things, then 
the rejection is not based on the "mere" presence or absence of an IP 
address literal - it's based on other information also.

But reliably knowing these things requires work and tools, and keeping 
that information current also requires work and tools.   I wonder how 
much spare time operators have to do the necessary work to make sure 
that the indicators are reliable, and I wonder if the tools that they 
need to do this are readily available to them.   I don't know how much 
of this should be in scope for 5321bis - probably none of it - but this 
does seem like part of what's required to improve the reliability of 
email delivery.

Keith

[*] But is using an SMTP forwarder that has a DNS name really part of 
the price of admission to IETF discussions?   And if so, shouldn't that 
be explicit policy rather than just the ad hoc decision of a server 
administrator?

v2.23.0 | Report a Bug | By Email