Re: IETF Policy on dogfood consumption or avoidance - SMTP version
Viktor Dukhovni <ietf-dane@dukhovni.org> Mon, 16 December 2019 17:05 UTC
Return-Path: <ietf-dane@dukhovni.org>
X-Original-To: ietf@ietfa.amsl.com
Delivered-To: ietf@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 9132B12085F for <ietf@ietfa.amsl.com>; Mon, 16 Dec 2019 09:05:02 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.714
X-Spam-Level:
X-Spam-Status: No, score=-2.714 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, FAKE_REPLY_C=1.486, RCVD_IN_DNSWL_MED=-2.3, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id sFqRnqtAt1Si for <ietf@ietfa.amsl.com>; Mon, 16 Dec 2019 09:05:00 -0800 (PST)
Received: from straasha.imrryr.org (straasha.imrryr.org [100.2.39.101]) (using TLSv1.2 with cipher ADH-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id EEF4812085E for <ietf@ietf.org>; Mon, 16 Dec 2019 09:04:59 -0800 (PST)
Received: by straasha.imrryr.org (Postfix, from userid 1001) id 3E43E4F002; Mon, 16 Dec 2019 12:04:59 -0500 (EST)
Date: Mon, 16 Dec 2019 12:04:59 -0500
From: Viktor Dukhovni <ietf-dane@dukhovni.org>
To: ietf@ietf.org
Cc: Glen <glen@amsl.com>
Subject: Re: IETF Policy on dogfood consumption or avoidance - SMTP version
Message-ID: <20191216170459.GG11489@straasha.imrryr.org>
Reply-To: ietf@ietf.org, Glen <glen@amsl.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Disposition: inline
In-Reply-To: <16306b3a-63bd-621e-636c-dd7626f74733@foobar.org> <CABL0ig4Wz-0dk7bsRpaN6pni2rHEc-jPnygwed_Hygy+CiehQA@mail.gmail.com>
User-Agent: Mutt/1.12.2 (2019-09-21)
Archived-At: <https://mailarchive.ietf.org/arch/msg/ietf/M5-6LsN3SqTGKk4YszZ2oZ2Yhl8>
X-BeenThere: ietf@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: IETF-Discussion <ietf.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ietf>, <mailto:ietf-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ietf/>
List-Post: <mailto:ietf@ietf.org>
List-Help: <mailto:ietf-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ietf>, <mailto:ietf-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 16 Dec 2019 17:05:02 -0000
On Mon, Dec 16, 2019 at 08:11:11AM -0800, Glen wrote: > On Mon, Dec 16, 2019 at 7:43 AM Randy Bush <randy@psg.com> wrote: > > o would it be technically easy for the smtp servers to accept ip > > literals in a conforming manner? yes, this is a question for my > > esteemed friend glen > > Extremely easy. The statements already made about Postfix are > correct. There is a configuration file, with two lines in it: > > /^[0-9.]+$/ 550 RFC2821 violation > /^\[[0-9.]+\]$/ 550 RFC2821 violation While the patterns look similar, the first one rejects non-compliant "EHLO 192.0.2.1" and similar dotted quads (or more generally some mixture of digits and dots), the second rejects RFC-compliant address literals. So at least the second message should probably be different, if the rule is retained. > Changing the messages may have a positive or negative security > exposure in that it might either (a) send the message that we (the > IETF) are watching and know what we're doing and scare attackers off, > or (b) might cause attackers to abandon this channel (which at the > moment could be a honeypot-esque bit bucket) and focus on other > methods of attack. But I think both of those things are extremely > small side-effects. In this case, Postfix already augments the message with sufficient context to make the custom message text immaterial to everyone other than RFC subject-matter experts. The sender can determine that it is the EHLO name that is being rejected. 550 5.7.1 <[192.0.2.1]>: Helo command rejected: RFC2821 violation But this being a community of RFC subject-matter experts, the text is subject to further scrutiny. It can be changed with no impact other than addressing its correctness viz. the RFC. > > o what would the technical and/or security exposure or other > > downside(s) be of doing so? > > These rules have been in place for roughly 10-ish years, as has > already been explained by John. They are in essence gateway checks, > which occur before other measures like Postconfirm or Spamassassin see > the messages. On a given day, there are between 700 and 1000 incoming > messages rejected by this rule. The name "postconfirm" suggests a component that asks (purported) senders of borderline messages to confirm their existence/intent to send the message. One should indeed strive to use that sparingly. Or is this just Postfix sender address verification (SAV), which merely checks that the MX hosts of the sender domain don't reject the sender address? > Removing the rules would increase the load on Spamassassin and - for > that subset of those 1000 messages per day that pass through > Spamassassin's upper threshhold - cause us to send out challenge > emails to the (potentially forged) senders of all of those emails. Here we get to the question of whether the second rule should be kept or dropped. Do you know which of the two accounts for the bulk of the rejected traffic? The rules could be moved below any RBL or other IP reputation checks, below any RHSBL or other sender domain reputation checks, but still above rules that would trigger "challenge messages". Then their marginal utility would be more easily discerned. If the challenge messages are generated after a message is accepted, (with the message sitting in a quarantine queue waiting for the verdict), then the HELO checks can be used quite late, at any point before the message is accepted, which would again help to determine whether other measures already in place largely obviate their need. If you don't have SAV, you could even have: smtpd_data_restrictions = check_helo_access pcre:${config_directory}/helo.pcre and defer the HELO checks to DATA, by which point all the RBL checks have run, invalid recipients have been turned away, ... Anyway, perhaps more than you wanted to know, or this list wants to read. But if you do want to explore your options further, you could ask on the postfix-users list. -- Viktor.
- Re: IETF Policy on dogfood consumption or avoidan… Valdis Kl=?utf-8?Q?=c4=93?=tnieks
- IETF Policy on dogfood consumption or avoidance -… John C Klensin
- Re: IETF Policy on dogfood consumption or avoidan… Viktor Dukhovni
- Re: IETF Policy on dogfood consumption or avoidan… Randy Bush
- Re: IETF Policy on dogfood consumption or avoidan… John Levine
- Re: IETF Policy on dogfood consumption or avoidan… Viktor Dukhovni
- Re: IETF Policy on dogfood consumption or avoidan… Nick Hilliard
- Re: IETF Policy on dogfood consumption or avoidan… Keith Moore
- Re: IETF Policy on dogfood consumption or avoidan… John C Klensin
- Re: IETF Policy on dogfood consumption or avoidan… Viktor Dukhovni
- Re: IETF Policy on dogfood consumption or avoidan… Salz, Rich
- Re: IETF Policy on dogfood consumption or avoidan… Keith Moore
- Re: IETF Policy on dogfood consumption or avoidan… Valdis Kl=?utf-8?Q?=c4=93?=tnieks
- Re: IETF Policy on dogfood consumption or avoidan… John R Levine
- Re: IETF Policy on dogfood consumption or avoidan… Randy Bush
- Re: IETF Policy on dogfood consumption or avoidan… John C Klensin
- Re: IETF Policy on dogfood consumption or avoidan… Keith Moore
- Re: IETF Policy on dogfood consumption or avoidan… Nick Hilliard
- Re: IETF Policy on dogfood consumption or avoidan… S Moonesamy
- Re: IETF Policy on dogfood consumption or avoidan… Glen
- Re: IETF Policy on dogfood consumption or avoidan… Nick Hilliard
- Re: IETF Policy on dogfood consumption or avoidan… Phillip Hallam-Baker
- Re: IETF Policy on dogfood consumption or avoidan… Glen
- Re: IETF Policy on dogfood consumption or avoidan… Viktor Dukhovni
- Re: IETF Policy on dogfood consumption or avoidan… Andrew G. Malis
- Re: IETF Policy on dogfood consumption or avoidan… John C Klensin
- Re: IETF Policy on dogfood consumption or avoidan… Andrew G. Malis
- Re: IETF Policy on dogfood consumption or avoidan… Randy Bush
- Re: IETF Policy on dogfood consumption or avoidan… Jay Daley
- Re: IETF Policy on dogfood consumption or avoidan… Andrew G. Malis
- Re: IETF Policy on dogfood consumption or avoidan… Jay Daley
- Re: IETF Policy on dogfood consumption or avoidan… Rob Sayre
- Re: IETF Policy on dogfood consumption or avoidan… John C Klensin
- Re: IETF Policy on dogfood consumption or avoidan… Salz, Rich
- Re: IETF Policy on dogfood consumption or avoidan… Alissa Cooper
- Re: IETF Policy on dogfood consumption or avoidan… Jay Daley
- Re: IETF Policy on dogfood consumption or avoidan… Hector Santos
- Re: IETF Policy on dogfood consumption or avoidan… Viktor Dukhovni
- Re: IETF Policy on dogfood consumption or avoidan… Brian E Carpenter
- Re: [ietf-smtp] IETF Policy on dogfood consumptio… Hector Santos
- Re: [ietf-smtp] IETF Policy on dogfood consumptio… Salz, Rich
- Re: [ietf-smtp] IETF Policy on dogfood consumptio… Keith Moore
- Re: [ietf-smtp] the inedible parts of IETF dogfoo… John Levine
- Re: [ietf-smtp] the inedible parts of IETF dogfoo… Keith Moore
- Re: [ietf-smtp] the inedible parts of IETF dogfoo… George Michaelson
- Re: [ietf-smtp] IETF Policy on dogfood consumptio… Randy Bush
- Re: [ietf-smtp] IETF Policy on dogfood consumptio… Hector Santos
- Re: [ietf-smtp] IETF Policy on dogfood consumptio… Hector Santos
- Re: IETF Policy on dogfood consumption or avoidan… John C Klensin
- Re: IETF Policy on dogfood consumption or avoidan… Eliot Lear
- Re: IETF Policy on dogfood consumption or avoidan… Alissa Cooper
- Re: [ietf-smtp] epostage is still a bad idea, the… John R Levine
- Re: [ietf-smtp] IETF Policy on dogfood consumptio… Salz, Rich
- Re: [ietf-smtp] epostage is still a bad idea, the… Phillip Hallam-Baker
- Re: IETF Policy on dogfood consumption or avoidan… Keith Moore
- Re: IETF Policy on dogfood consumption or avoidan… Hector Santos
- Re: IETF Policy on dogfood consumption or avoidan… John C Klensin
- Re: IETF Policy on dogfood consumption or avoidan… Eliot Lear
- Re: IETF Policy on dogfood consumption or avoidan… Alessandro Vesely
- Re: IETF Policy on dogfood consumption or avoidan… Viktor Dukhovni
- Re: IETF Policy on dogfood consumption or avoidan… Eliot Lear
- Re: IETF Policy on dogfood consumption or avoidan… Hector Santos
- Re: [ietf-smtp] epostage is still a bad idea, the… Brandon Long
- Re: [ietf-smtp] epostage is still a bad idea, the… Phillip Hallam-Baker
- Re: IETF Policy on dogfood consumption or avoidan… Valdis Kl=?utf-8?Q?=c4=93?=tnieks
- Re: IETF Policy on dogfood consumption or avoidan… Hector Santos
- The dogfood discussion (was: Re: IETF Policy on d… John C Klensin
- Re: The dogfood discussion (was: Re: IETF Policy … Viktor Dukhovni
- Re: The dogfood discussion (was: Re: IETF Policy … Eliot Lear (elear)