Re: [ietf-smtp] Fwd: [dispatch] Forced SMTP redirects
John C Klensin <john-ietf@jck.com> Fri, 10 July 2020 04:01 UTC
Return-Path: <john-ietf@jck.com>
X-Original-To: ietf-smtp@ietfa.amsl.com
Delivered-To: ietf-smtp@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 615B03A0BF4 for <ietf-smtp@ietfa.amsl.com>; Thu, 9 Jul 2020 21:01:10 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.897
X-Spam-Level:
X-Spam-Status: No, score=-1.897 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, SPF_HELO_NONE=0.001, SPF_NONE=0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 4j1tRCVEb18J for <ietf-smtp@ietfa.amsl.com>; Thu, 9 Jul 2020 21:01:08 -0700 (PDT)
Received: from bsa2.jck.com (ns.jck.com [70.88.254.51]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 89FFA3A0BF2 for <ietf-smtp@ietf.org>; Thu, 9 Jul 2020 21:01:08 -0700 (PDT)
Received: from [198.252.137.10] (helo=PSB) by bsa2.jck.com with esmtp (Exim 4.82 (FreeBSD)) (envelope-from <john-ietf@jck.com>) id 1jtkDi-000Eg5-RB; Fri, 10 Jul 2020 00:01:06 -0400
Date: Fri, 10 Jul 2020 00:01:00 -0400
From: John C Klensin <john-ietf@jck.com>
To: E Sam <winshell64@gmail.com>, ietf-smtp@ietf.org
Message-ID: <6AEA7D44C8037B32BC1F3810@PSB>
In-Reply-To: <CAKFo7w=MJBt0FdnCcOZCXZWdkd6Jinv4TqwdpefdoaCncbZH3Q@mail.gmail.com>
References: <CAKFo7wkawgk-Yj676kE5MqK8XuebuArMexH-eOdq_Uo7ijdimQ@mail.gmail.com> <20200710015947.0BE2D1C78A2F@ary.qy> <CAKFo7w=MJBt0FdnCcOZCXZWdkd6Jinv4TqwdpefdoaCncbZH3Q@mail.gmail.com>
X-Mailer: Mulberry/4.0.8 (Win32)
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Content-Disposition: inline
X-SA-Exim-Connect-IP: 198.252.137.10
X-SA-Exim-Mail-From: john-ietf@jck.com
X-SA-Exim-Scanned: No (on bsa2.jck.com); SAEximRunCond expanded to false
Archived-At: <https://mailarchive.ietf.org/arch/msg/ietf-smtp/wMSOaEGei6Ach4QnOaz3trO0Lx8>
Subject: Re: [ietf-smtp] Fwd: [dispatch] Forced SMTP redirects
X-BeenThere: ietf-smtp@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "Discussion of issues related to Simple Mail Transfer Protocol \(SMTP\) \[RFC 821, RFC 2821, RFC 5321\]" <ietf-smtp.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ietf-smtp>, <mailto:ietf-smtp-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ietf-smtp/>
List-Post: <mailto:ietf-smtp@ietf.org>
List-Help: <mailto:ietf-smtp-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ietf-smtp>, <mailto:ietf-smtp-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 10 Jul 2020 04:01:10 -0000
Hi. Well, I largely agree with John Levine except for a bit of history that just proves his point. Many years ago, at sort of the dawn of SMTP and at least in the environments I was working in, the use of 251 and 551 was fairly common, as was the use or VRFY to check out addresses. Over the years, all three fell into disuse as John says. Especially for the former two, that happened at least as much due to concerns about a variety of attacks as about information disclosure. Section 7.5 for RFC 5321 at least hints at the problem: if, as an SMTP-sender, I get a 557 or 558 (or a 551), I'd better be really sure that the system returning that code is authoritative for the addresses in question. That gets especially complicated when there is a multihop relay chain and, especially if the practice of opening the outgoing connection before the incoming one has completed, one cannot tell with any certainty where the report came from. Also remember that SMTP encourages, nay requires, that if an SMTP-sender gets back a reply code it does not recognize, it is required to ignore anything but the first digit. That predicts a fairly hard road at this point for new codes that are intended to convey subtle information. Agreeing with John that the underlying problems are not ones that new codes will solve and hence that the likelihood of acceptance and wide enough deployment to make this useful are low, two suggestions: (1) Stick with 551 but add extended codes that reflect exactly what you want and the distinctions you are trying to make. There may still be little adoption, but I believe (after not much thought) that the chances of harm are lower. (2) Expand your Security Considerations section (or some other section) to consider a broader range of possible attacks and configurations. For example, if encryption is only hop-by-hop, any server that has been compromised seriously enough to tell a client to rewrote a message probably has access to the plaintext in any sort of pipelining situation and likely some others. An analysis of what happens if the server generates these codes and the client interprets them as simply 5yz (as suggested above) and whether that would cause harm would be in order. Similarly, suppose SubmissionServer -> MTA1 -> MTA2 -> DeliveryMTA Now, let's assume MTA2 is an enterprise server with a list of forwarding addresses delivering only virus-checked messages with valid addresses to DeliveryMTA (a plausible situation in today's world). So it generates a 557 code. As I read your draft (perhaps too quickly) you expect MTA1 to forward/resend the message to the [new] correct address. But, if it does, what is it going to tell the submission server (if anything) especially if it, having received the message and agreed to pass it on, has already returned a 250 code and gotten QUIT in return. That takes us into NDN/DSN territory with all of the issues associated with those messages, in this case probably with a need to authenticate them end-to-end. best, john --On Thursday, July 9, 2020 22:47 -0400 E Sam <winshell64@gmail.com> wrote: > Hello all, > See the below email chain - I thought it would be a good idea > to send this to the ietf-smtp mailing list as well. > > Thanks > > ---------- Forwarded message --------- > From: John Levine <johnl@taugh.com> > Date: Thu, Jul 9, 2020 at 9:59 PM > Subject: Re: [dispatch] Forced SMTP redirects > To: <dispatch@ietf.org> > Cc: <winshell64@gmail.com> > > > I'd suggest reposting this to the ietf-smtp list where people > who've been around a lot longer than I have can explain why > nobody implements 551 redirects (and as far as I can tell, > nobody ever did) and there is assigning a different response > code won't change that. It may seem like a good idea, but > turns out not to work in practice. > > FWIW I looked through the last seven months of my mail > server's logs and the total number of 551 responses is zero. > > R's, > John > > PS: There have been some attempts at setting up > change-of-address services where you can register old and new > addresses, so mail servers could query them after getting a > 550, and they never went anywhere either. > > See US Patents 6,654,789, 6,892,222, and 7,080,122. > > On the other hand, a lot of mail systems now let users keep > their addresses after they leave, ranging from ISPs like > Comcast and Spectrum to universities who turn student > addresses into alumni addresses. They let you forward the > mail, or you can add it to the list of accounts your MUA > checks, or either or both. > > > > > In article > <CAKFo7wkawgk-Yj676kE5MqK8XuebuArMexH-eOdq_Uo7ijdimQ@mail.gmai > l.com> you write: >> Hello everyone, >> >> >> I have published a new internet-draft that might be of >> interest. >> >> >> As always, its on the Datatracker: >> >> https://datatracker.ietf.org/doc/draft-sam-smtp-redirects/ > > _______________________________________________ > ietf-smtp mailing list > ietf-smtp@ietf.org > https://www.ietf.org/mailman/listinfo/ietf-smtp
- [ietf-smtp] Fwd: [dispatch] Forced SMTP redirects E Sam
- Re: [ietf-smtp] Fwd: [dispatch] Forced SMTP redir… John C Klensin
- Re: [ietf-smtp] Fwd: [dispatch] Forced SMTP redir… John Levine
- Re: [ietf-smtp] Fwd: [dispatch] Forced SMTP redir… John C Klensin
- Re: [ietf-smtp] Fwd: [dispatch] Forced SMTP redir… E Sam
- Re: [ietf-smtp] Fwd: [dispatch] Forced SMTP redir… John R Levine
- Re: [ietf-smtp] Fwd: [dispatch] Forced SMTP redir… John Levine
- Re: [ietf-smtp] Fwd: [dispatch] Forced SMTP redir… Dave Crocker
- Re: [ietf-smtp] [dispatch] Forced SMTP redirects Viktor Dukhovni
- Re: [ietf-smtp] [dispatch] Forced SMTP redirects Dave Crocker
- Re: [ietf-smtp] [dispatch] Forced SMTP redirects Viktor Dukhovni
- Re: [ietf-smtp] [dispatch] Forced SMTP redirects Dave Crocker
- Re: [ietf-smtp] [dispatch] Forced SMTP redirects Viktor Dukhovni
- Re: [ietf-smtp] [dispatch] Forced SMTP redirects Sam Varshavchik
- Re: [ietf-smtp] [dispatch] Forced SMTP redirects Viktor Dukhovni
- Re: [ietf-smtp] [dispatch] Forced SMTP redirects John Levine
- Re: [ietf-smtp] [dispatch] Forced SMTP redirects Arnt Gulbrandsen
- Re: [ietf-smtp] [dispatch] Forced SMTP redirects John C Klensin
- Re: [ietf-smtp] [dispatch] Forced SMTP redirects Paul Smith
- Re: [ietf-smtp] [ dispatch] Forced SMTP redirects Laura Atkins
- Re: [ietf-smtp] [dispatch] Forced SMTP redirects Sam Varshavchik
- Re: [ietf-smtp] [ dispatch] Forced SMTP redirects Viktor Dukhovni
- Re: [ietf-smtp] [ dispatch] Forced SMTP redirects Laura Atkins
- Re: [ietf-smtp] [ dispatch] Forced SMTP redirects Ned Freed
- Re: [ietf-smtp] [ dispatch] Forced SMTP redirects Ned Freed
- Re: [ietf-smtp] [ dispatch] Forced SMTP redirects Laura Atkins
- Re: [ietf-smtp] [dispatch] Forced SMTP redirects Ned Freed