Re: [ietf-smtp] EHLO domain validation requirement in RFC 5321

Keith Moore <> Mon, 28 September 2020 21:39 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 393D83A0CC1 for <>; Mon, 28 Sep 2020 14:39:28 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -2.109
X-Spam-Status: No, score=-2.109 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, NICE_REPLY_A=-0.213, RCVD_IN_MSPIKE_H3=0.001, RCVD_IN_MSPIKE_WL=0.001, SPF_NONE=0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: (amavisd-new); dkim=pass (2048-bit key)
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id YFpO5ZYOK8-3 for <>; Mon, 28 Sep 2020 14:39:26 -0700 (PDT)
Received: from ( []) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 897FE3A141B for <>; Mon, 28 Sep 2020 14:39:26 -0700 (PDT)
Received: from compute4.internal (compute4.nyi.internal []) by mailout.west.internal (Postfix) with ESMTP id EE325C32 for <>; Mon, 28 Sep 2020 17:39:24 -0400 (EDT)
Received: from mailfrontend1 ([]) by compute4.internal (MEProxy); Mon, 28 Sep 2020 17:39:25 -0400
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=; h=content-transfer-encoding:content-type :date:from:in-reply-to:message-id:mime-version:references :subject:to:x-me-proxy:x-me-proxy:x-me-sender:x-me-sender :x-sasl-enc; s=fm3; bh=rwHx3vE4ak+njT9DvONAHds7vsQSDNwcDOmqdATUJ Uc=; b=jVd4W9IsVGZg+Vph4/Z0GGot/a4OQWFgkdNDmr5p4tYcgCyhF0sajqioE 7mZ6Qwm7DreGKLHVL2djLchBw9sXn+ScPjakTPIxgVS87/w2tD+tTSIV/LvrXSCK oula6wH99D+FfnUf71wl35iqcfb0gnCzcFgaWP5ZLdKegkRtzfRDhdTM8QQT2tmY 4ncllzZpLWAli6irZkqplCcJgxGDGYtzWbQqX/vTbJrCDr48C9sO8c/5tpJNIxG9 gUdZFS0Ko6hF8yyxcUQDn0dGlTRSOop9rH9Lypzt/+579qQa+p4flgBSXKjKrzuF O0m+yj4kA/6IPYGUDAjxfkJjOTM5Q==
X-ME-Sender: <xms:DFhyX-eE_aaRa25ogLIr0ks6niElIVeRX2Nk-D8n3myExh_RhD85Mw> <xme:DFhyX4M8Q_4vS7fVoZSVhBF5_ZoatVCeuIwMmiDUTvO2CZA8lB0XKOkYgPiMijYqM lT5PVk0nVHQgg>
X-ME-Proxy-Cause: gggruggvucftvghtrhhoucdtuddrgedujedrvdejucetufdoteggodetrfdotffvucfrrh hofhhilhgvmecuhfgrshhtofgrihhlpdfqfgfvpdfurfetoffkrfgpnffqhgenuceurghi lhhouhhtmecufedttdenucenucfjughrpefuvfhfhffkffgfgggjtgfgsehtkeertddtfe ejnecuhfhrohhmpefmvghithhhucfoohhorhgvuceomhhoohhrvgesnhgvthifohhrkhdq hhgvrhgvthhitghsrdgtohhmqeenucggtffrrghtthgvrhhnpeehhfeutdehfefgfefghf ekhefguefgieduueegjeekfeelleeuieffteefueduueenucfkphepuddtkedrvddvuddr udektddrudehnecuvehluhhsthgvrhfuihiivgeptdenucfrrghrrghmpehmrghilhhfrh homhepmhhoohhrvgesnhgvthifohhrkhdqhhgvrhgvthhitghsrdgtohhm
X-ME-Proxy: <xmx:DFhyX_jNIgW7hm7ni5f9E1CcAa8h4Zheg37NCLcEIUm4dpjsN1h9YA> <xmx:DFhyX7_uYarp7fWO35JL7cpl1c5XHmnMTtDK_l6J2W-055RRaggt-g> <xmx:DFhyX6sFin4VyMuuld1gD7raYNz_OPXT0VPOI1sA1nB8zN5syoXn8A> <xmx:DFhyX3NmGoWGSCHPPXvfv8PUcCnr_sI9SOCkO6dV5CidxmEZOtGtJQ>
Received: from [] ( []) by (Postfix) with ESMTPA id CB92F328005E for <>; Mon, 28 Sep 2020 17:39:23 -0400 (EDT)
References: <> <> <> <> <> <> <> <> <> <> <> <> <> <> <>
From: Keith Moore <>
Message-ID: <>
Date: Mon, 28 Sep 2020 17:39:22 -0400
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Thunderbird/68.10.0
MIME-Version: 1.0
In-Reply-To: <>
Content-Type: text/plain; charset=utf-8; format=flowed
Content-Transfer-Encoding: 8bit
Content-Language: en-US
Archived-At: <>
Subject: Re: [ietf-smtp] EHLO domain validation requirement in RFC 5321
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "Discussion of issues related to Simple Mail Transfer Protocol \(SMTP\) \[RFC 821, RFC 2821, RFC 5321\]" <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Mon, 28 Sep 2020 21:39:28 -0000

On 9/28/20 9:49 AM, Laura Atkins wrote:

>> Most of this is what I've picked up reading IETF lists and trade 
>> publications for years.   I guess I thought it was common knowledge 
>> within IETF that NATs were increasingly being used in these ways - 
>> certainly there were many discussions about it in IETF several years 
>> ago.
> NATs, yes. NATs handling significant amounts of SMTP traffic, I’ve not 
> seen any evidence for.
It's fairly clear that NAT44s aren't just used in consumer routers any 
more.     What I don't know is, are the ISPs that are imposing NATs only 
doing so on consumer traffic for now (and thus still likely to be 
spam/malware)?,   Or does/will this affect enterprise traffic also?

It's also fairly clear to me that we (IETF) don't want to impose 
unnecessary requirements to support IPv4.

We should also take care that we don't impose US or first-world 
assumptions on global email operations, because people in areas with 
less IPv4 address space need to cost-effectively send email too.

> And if it’s just an issue of NATs, there are other solutions. So the 
> question really becomes: is this an issue affecting large amounts of 
> email? What emails is it affecting? Is it likely to affect email in 
> the future? That’s the kind of evidence I was asking for. Tell me, how 
> much traffic, does this affect now? How much traffic do we expect this 
> to affect moving forward? What tools are we removing from filters if 
> we say they cannot evaulate the hostname? What impact does that have 
> on them?

I would say that the questions are more like: is this issue imposing a 
burden on MSPs or enterprises trying to send email? Are those 
organizations having to jump through hoops to send email that they 
shouldn't have to jump through?   Is this marginalizing small 
organizations or unnecessarily forcing them to use external MSPs when 
they shouldn't need to?   How much worse will this problem become in the 
future if not addressed?

> The next round of questions will look something like:
> Is this a RFC status that MTA operators are simply going to ignore? In 
> the email space we have some very large players who handle billions of 
> emails a day and blatantly violate the RFCs. ’But the RFC says’ is 
> not, in my experience, a persuasive argument for these types. They 
> usually have significant analysis and data that shows that the 
> operational and human problems resulting from their lack of 
> implementation is not enough to force them to follow the RFCs. Simply 
> saying something MUST or MUST NOT be done doesn’t actually result in 
> that happening.

I think that's completely the wrong question.   Our job is to figure out 
what it takes to make email work well, not to cater to large players.    
Sure they might ignore the advice, but it's not IETF's job to legitimize 
harmful behavior.

> And then there is the abuse problem. I understand that it’s outside 
> the scope of the rewrite here but it is relevant for adoption. There 
> are absolutely cases where interoperability takes a back seat to 
> protecting the network.

I have no problem with filtering malware as long as there's a reliable 
indication that it's malware.   I have a lot of problem with IETF 
endorsing a practice of MSPs imposing shortsighted and meaningless 

>>>> The changes I see happening include the increasing scarcity of IPv4 
>>>> address space and the consequent emergence of IPv6-only network 
>>>> providers using NAT to move packets between IPv4 and IPv6 
>>>> addressing domains.  I'm also anticipating the need to eventually 
>>>> phase out the public IPv4 Internet altogether.
>>> Or we could write the BIS to recommend anyone running v4 services 
>>> also provide v6 services, couldn’t we? Take the burden off the v6 
>>> only systems which are likely newer entrants and put it on the ‘old 
>>> timers’ who’ve been around for decades.
>> We could make such a recommendation.   Though I expect, that like 
>> spam filterers, network operators will do what they want, and 
>> consider themselves justified in doing so, regardless of what we 
>> recommend.
>> I suspect that the task before us is to make recommendations that 
>> both spam filterers and network operators will find palatable.
> So why are we wasting time on the EHLO evaulation question, if that’s 
> the case.

It's a question that needs to be resolved before we can consider 5321 
ready for publication.

>>>> (From operators' perspective: how long does it make sense for every 
>>>> network to maintain its IPv4 baggage, just so that email won't be 
>>>> blocked?   At the very least we need input from network operators.)
>>> My experience is that folks running MTAs on IPv6 actually enact 
>>> stricter technical requirements on those systems. For instance, many 
>>> IPv4 servers will accept mail without valid rDNS on the sending IP 
>>> or will accept mail without SPF records, while the IPv6 servers run 
>>> by the same entities require those things directly.
>> It might even make sense for IPv6 operations to "raise the bar".   
>> For example, PTR lookup of IPv6 addresses allows finer-grained 
>> delegation than PTR lookup of IPv4 addresses.   But regardless of 
>> what some operators are doing, I think this requires careful analysis 
>> to justify from a standards perspective.   I suspect there will be 
>> IPv4-only networks with a legitimate need to originate mail to 
>> IPv6-only servers.
> You suspect, but I’m not convinced your suspicions are a reason to 
> upend current practices.

I'm not convinced that such practices are a reason to delay transition 
to IPv6.