IETF Logo Mail Archive

Re: RFC 5321bis / 2821ter

Paul Smith <paul@pscs.co.uk> Thu, 29 January 2009 17:40 UTC

Received: from balder-227.proper.com (localhost [127.0.0.1]) by balder-227.proper.com (8.14.2/8.14.2) with ESMTP id n0THe596031014 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Thu, 29 Jan 2009 10:40:05 -0700 (MST) (envelope-from owner-ietf-smtp@mail.imc.org)
Received: (from majordom@localhost) by balder-227.proper.com (8.14.2/8.13.5/Submit) id n0THe5HP031013; Thu, 29 Jan 2009 10:40:05 -0700 (MST) (envelope-from owner-ietf-smtp@mail.imc.org)
X-Authentication-Warning: balder-227.proper.com: majordom set sender to owner-ietf-smtp@mail.imc.org using -f
Received: from mail.pscs.co.uk (mail.pscs.co.uk [77.240.14.73]) by balder-227.proper.com (8.14.2/8.14.2) with ESMTP id n0THe36Y031004 for <ietf-smtp@imc.org>; Thu, 29 Jan 2009 10:40:04 -0700 (MST) (envelope-from paul@pscs.co.uk)
Received: from lmail.pscs.co.uk ([62.3.195.6]) by mail.pscs.co.uk ([77.240.14.73] running VPOP3) with ESMTP; Thu, 29 Jan 2009 17:40:02 -0000
Received: from [192.168.66.101] ([192.168.66.101]) by lmail.pscs.co.uk ([192.168.66.70] running VPOP3) with ESMTP; Thu, 29 Jan 2009 17:36:27 -0000
Message-ID: <4981E916.2040805@pscs.co.uk>
Date: Thu, 29 Jan 2009 17:36:22 +0000
From: Paul Smith <paul@pscs.co.uk>
User-Agent: Thunderbird 2.0.0.19 (Windows/20081209)
MIME-Version: 1.0
To: John C Klensin <john+smtp@jck.com>
CC: Alessandro Vesely <vesely@tana.it>, ietf-smtp@imc.org
Subject: Re: RFC 5321bis / 2821ter
References: <4979D903.1060705@pscs.co.uk> <E5EF288BD222F5BA20C735BD@PST.JCK.COM> <497980AA.2060706@es2eng.com> <C4ZHRHThnSMjwwDOZ03z0w.md5@lochnagar.oryx.com> <4979B5F2.9010102@pscs.co.uk> <WBwvOp9JIdw2SWc1HYscRg.md5@lochnagar.oryx.com> <4979D903.1060705@pscs.co.uk> <5.2.1.1.0.20090123140212.03ed3fb0@plus.pop.mail.yahoo.com> <51104ACCD26E8167A1B3981E@PST.JCK.COM> <497D8756.5030306@pscs.co.uk> <alpine.LSU.2.00.0901261913140.4795@hermes-2.csi.cam.ac.uk> <497ED51D.9040407@pscs.co.uk> <497EE0EA.6080704@tana.it> <497EEB01.8060300@pscs.co.uk> <497F41FB.7060101@tana.it> <497F4765.6070109@pscs.co.uk> <497F7058.90109@santronics.com> <498025E0.7080802@pscs.co.uk> <49809046.101@santronics.com> <49816FD7.1040609@pscs.co.uk> <4981CB21.7080801@tana.it> <329705CBE49F16B7218F4E32@PST.JCK.COM>
In-Reply-To: <329705CBE49F16B7218F4E32@PST.JCK.COM>
X-Enigmail-Version: 0.95.7
Content-Type: text/plain; charset="ISO-8859-1"
Content-Transfer-Encoding: 7bit
X-Authenticated-Sender: paul
X-Server: VPOP3 Enterprise V2.6.0e - Registered
X-Organisation: Paul Smith Computer Services
X-Authenticated-Sender: Postmaster
Sender: owner-ietf-smtp@mail.imc.org
Precedence: bulk
List-Archive: <http://www.imc.org/ietf-smtp/mail-archive/>
List-ID: <ietf-smtp.imc.org>
List-Unsubscribe: <mailto:ietf-smtp-request@imc.org?body=unsubscribe>

John C Klensin wrote:
> The following are all
> perfectly valid decisions under 5321 as written:
>
> 	* Rejecting the EHLO command and message because the
> 	argument does not follow the syntax rules.
>   
Yes

> 	* Rejecting the EHLO command and message because the
> 	apparent FQDN in the argument does not resolve at all in
> 	the public DNS.
>   
Not sure about this one. The wording says:

However, if the verification fails, the server MUST NOT refuse to
   accept a message on that basis.

It doesn't say 'if the domain argument resolves to a different IP
address than that of the client it MUST NOT refuse to accept the message
on that basis'. It says 'if the verification fails', that could
potentially be 'host not found' as well as different IP address or whatever.

The 'verifying the argument corresponds to the IP address' is also a bit
vague. One person could say that this means that the A record for the
argument should match the IP address, but what about CNAMEs, or, could
the argument be a name which has an MX record which has an A record
matching the IP address. In a sense, that still means the argument
corresponds to the IP address (especially since we're talking about mail
here).

Given that you shouldn't refuse the message on that basis, it doesn't
matter what you mean by 'corresponds', but if people are starting to
refuse the message (or even 'redirect' it), it might need clarification.
This could affect your point above, where 'domain.com' doesn't have an A
record (so "doesn't resolve in the public DNS") but does have an MX
record referring to the host.
> 	* Noticing that the EHLO argument does not resolve to
> 	the address obtained from the connection, writing a
> 	private-use header into the message that records that
> 	fact, and then forwarding/delivering the message anyway.
> 	
> 	* Noticing that the EHLO argument does not resolve to
> 	the address obtained from the connection, delivering the
> 	message anyway, but delivering it to a folder different
> 	from the one that would normally be used for incoming
> 	messages associated with the RCPT command address.
>   
Yes.

There's also the 'not bothering to check the EHLO argument at all',
which is valid under 5321 AFAICS.

Also AFAICS, it could also use the failure of the EHLO argument as a
'hint' for further spam filtering. Eg, if the EHLO argument didn't
resolve to the IP address, it could treat it as 'more suspicious', so do
more rigorous spam checking, as long as it doesn't refuse to accept the
message solely on the basis of a failed IP address verification.

-- 
Paul Smith

VPOP3 - POP3/SMTP/IMAP4/Webmail Email server for Windows

v2.23.0 | Report a Bug | By Email