IETF Logo Mail Archive

Re: IETF Policy on dogfood consumption or avoidance - SMTP version

Keith Moore <moore@network-heretics.com> Wed, 18 December 2019 23:03 UTC

Return-Path: <moore@network-heretics.com>
X-Original-To: ietf@ietfa.amsl.com
Delivered-To: ietf@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 77AAD120047 for <ietf@ietfa.amsl.com>; Wed, 18 Dec 2019 15:03:25 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.598
X-Spam-Level:
X-Spam-Status: No, score=-2.598 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_NONE=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=messagingengine.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 7lf_pFZcQ1BM for <ietf@ietfa.amsl.com>; Wed, 18 Dec 2019 15:03:22 -0800 (PST)
Received: from wout3-smtp.messagingengine.com (wout3-smtp.messagingengine.com [64.147.123.19]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 31471120013 for <ietf@ietf.org>; Wed, 18 Dec 2019 15:03:22 -0800 (PST)
Received: from compute6.internal (compute6.nyi.internal [10.202.2.46]) by mailout.west.internal (Postfix) with ESMTP id 68EC2583; Wed, 18 Dec 2019 18:03:21 -0500 (EST)
Received: from mailfrontend2 ([10.202.2.163]) by compute6.internal (MEProxy); Wed, 18 Dec 2019 18:03:21 -0500
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d= messagingengine.com; h=content-type:date:from:in-reply-to :message-id:mime-version:references:subject:to:x-me-proxy :x-me-proxy:x-me-sender:x-me-sender:x-sasl-enc; s=fm1; bh=VwdG40 uMECnzN0eFCJGiLm1goQtmQ8uhSiiXz0B7Eqg=; b=Rl416xjc3lJ2vdkd8U2Bdt FbmGpfd1H4fezdSvj7wL6maJhHZAzc+GiBkTPnGCSj6FASj/C5VT8vD2orRQI8b8 iIAqXbg0LPSh7ybxoWLQ4knE270IllPRYAOJRwcjSblwQxjxVfNM6YjA0gIL8WlO glk3YmOlSL+/KgRbgRoHkvcJeGJ7gO3yVpQFSXepmA1bhqeO31fQVpCgr6+PZz/L 2VQ97DrkB/nNE/FwzQB4KsYLj7wGWFDtBXjhPK6rJpw5hYowpN6YrhoOgWwt3tPk LaokzKUa7WWTaw9gUDEXWYankLRgLz9yxsbU6xy0LgDvzf8t1LeHky+SMWVl+cBw ==
X-ME-Sender: <xms:OLD6XYuhGfjl9YlG0eAYUiNCo1_f_oi3uAvW2f6nLYLtgRlQQwnW4g>
X-ME-Proxy-Cause: gggruggvucftvghtrhhoucdtuddrgedufedrvddutddgtdegucetufdoteggodetrfdotf fvucfrrhhofhhilhgvmecuhfgrshhtofgrihhlpdfqfgfvpdfurfetoffkrfgpnffqhgen uceurghilhhouhhtmecufedttdenucenucfjughrpefuvfhfhffkffgfgggjtgesrgdtre ertdefjeenucfhrhhomhepmfgvihhthhcuofhoohhrvgcuoehmohhorhgvsehnvghtfiho rhhkqdhhvghrvghtihgtshdrtghomheqnecukfhppedutdekrddvvddurddukedtrdduhe enucfrrghrrghmpehmrghilhhfrhhomhepmhhoohhrvgesnhgvthifohhrkhdqhhgvrhgv thhitghsrdgtohhmnecuvehluhhsthgvrhfuihiivgeptd
X-ME-Proxy: <xmx:OLD6Xau9DdfM1vTDXRVsWyXk0o7ae5Hc27eoCL5pSFmORMzl2MYQkA> <xmx:OLD6XWazMTERBNEAZp8OoZG5h9GkRT89H4MRWkSpSvcPLAg6Szbnpg> <xmx:OLD6Xa4iJjH_cmrdxsBB-NWJn2U77dXyktmMMfaoUHWzUvYcakk6Gg> <xmx:ObD6XT6WAhmLu5FXe4JNcgDn1NY0LHqvljBsXDdvFwTbdDwZWKLXGA>
Received: from [192.168.1.97] (108-221-180-15.lightspeed.knvltn.sbcglobal.net [108.221.180.15]) by mail.messagingengine.com (Postfix) with ESMTPA id D8347306030B; Wed, 18 Dec 2019 18:03:18 -0500 (EST)
Subject: Re: IETF Policy on dogfood consumption or avoidance - SMTP version
To: ietf@ietf.org
References: <8EE11B75E1F8A7E7105A1573@PSB> <m2a77ttff6.wl-randy@psg.com> <CABL0ig4Wz-0dk7bsRpaN6pni2rHEc-jPnygwed_Hygy+CiehQA@mail.gmail.com> <16306b3a-63bd-621e-636c-dd7626f74733@foobar.org> <4D7EEBF62E149D1F23BA6A32@PSB> <58595081-6F4F-45E2-9798-B691AC919D28@cisco.com>
From: Keith Moore <moore@network-heretics.com>
Message-ID: <8b77885c-6094-f7cd-e0c2-97db2dd46d6b@network-heretics.com>
Date: Wed, 18 Dec 2019 18:03:17 -0500
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Thunderbird/60.9.0
MIME-Version: 1.0
In-Reply-To: <58595081-6F4F-45E2-9798-B691AC919D28@cisco.com>
Content-Type: multipart/alternative; boundary="------------C924C67BD8546C1F06D310C0"
Content-Language: en-US
Archived-At: <https://mailarchive.ietf.org/arch/msg/ietf/ME6FiuggxHm8-FS0Vso5J3eZzCE>
X-BeenThere: ietf@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: IETF-Discussion <ietf.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ietf>, <mailto:ietf-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ietf/>
List-Post: <mailto:ietf@ietf.org>
List-Help: <mailto:ietf-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ietf>, <mailto:ietf-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 18 Dec 2019 23:03:25 -0000

On 12/18/19 3:12 AM, Eliot Lear wrote:

> On the general issue, as the late Brian Kantor said, RFCs serve us 
> best when they document existing practice.

I do not think this is defensible as a general statement, at least not 
when stated in that way.   There are cases when this is true, such as 
when existing practice has evolved to figure out what actually works 
well, and RFCs have evolved to document it. But that neglects the very 
purpose of engineering of our protocols, which is to determine what will 
work well before it becomes existing practice.   Engineering is 
imperfect, of course, which is why we revise those RFCs in light of 
experience, but good engineering produces good practice much more often 
than not.

Sometimes our first RFC documents a protocol that is already in use, in 
which case we have a dilemma - should the RFC document existing practice 
or should it document what is believed to be good practice?   I have 
seen many instances in which this conflict produces poor specifications, 
in which either documenting existing practice, or specifying what is 
believed to be good practice, would produce a more useful result than 
trying to do both.   It is imperative that the WG in such a case have 
clear instructions as to which it should do.   But it's not always the 
case that the WG should favor existing practice.

Another problem with that statement is that, if taken as true on its 
face, _any_ existing practice, no matter how poorly chosen or rarely 
employed, can be used to argue for ignoring an RFC or changing text in 
the RFC when it is revised.

In the case of SMTP, of course, many changes made between RFC 821 and 
RFC 5321 reflect lessons learned in the ~26 years of experience with 
SMTP during that interval, just as RFC 821 reflected several years of 
experience with email-over-FTP prior to the invention of SMTP.    The 
rule in RFC 5321 that permits an IP address literal in HELO/EHLO is one 
such example.   Servers that rejected messages based on HELO/EHLO were 
found to frequently reject valid mail.   Perhaps unfortunately, RFC 5321 
only reflects the change learned from that experience and does not 
record the experience that led to that decision - so people today may 
naively believe that the language in 5321 is a mistake or accident.   It 
was neither of those.

Email usage does continue to change, so a decision should not be taken 
as valid forever just because it was once sound.   This is equally true, 
BTW, for the language in RFC 5321, as it is for an operational change to 
reject EHLO with IP address literals.

I do support empowering operators, in exigent circumstances, to do 
whatever appears to be necessary to allow successful operation to 
continue.  But the process should not stop there.   When the effect of 
such decisions accumulates over time, and the corrective measures 
continue to be justified because "they've been that way forever", the 
result is generally to degrade the ability of the network to support 
applications and changing usage patterns.   So IMO there's a need to 
document the reasons for such measures, and to measure and track their 
effectiveness over time.   And because this check happens before the 
message content is actually transmitted, the only way to measure 
effectiveness of a rejection on EHLO arguments is to let some 
statistically representative sample of such messages through from time 
to time and actually measure how valid a check it turns out to be.

> This is entirely in accord with the “running code” part of our mantra: 
> if network needs dictate that the RFC not be followed to the letter, 
> then so be it.  I would actually *like* that we are demonstrating this 
> point and reenforcing that our standards are voluntary, but for the 
> fact that I don’t think the standard was substantially violated. 
>  That’s my second point.
>
This is not "running code" in the sense that we usually use the term.   
It's not a change made by a well-supported SMTP server. It's a 
configuration change made by one site for which very little evidence to 
support it has been cited.   Even then, the assertion was that this 
configuration was more efficient, not that it resulted in a better 
overall ham-to-spam ratio.   And of course IETF is not just an ordinary 
site, it sets (or should set) an example for others to follow.

>
> If one looks at RFC 5321, there are three reasons to think that really 
> the standard does not prohibit the behavior being described.  First, 
> the text in 4.1.4 doesn’t actually prohibit the rejecting literals. 
>  Here is what is said:
>
>  If the EHLO command is not acceptable to the SMTP server, 501, 500,
> 502, or 550 failure replies MUST be returned as appropriate.
>
> At this point in the transaction, it may not be readily apparent that 
> the EHLO indeed is unacceptable.  That’s because the server may need 
> to gather more information, such as the recipient, in order to check 
> against SPF records or other inputs delivered later to make a decision.
I disagree.   The EHLO argument is immaterial to any check on validity 
of a recipient address.   And one subtlety of SMTP is that a response to 
a RCPT TO command is generally taken as a response for that specific 
recipient, so it's generally not appropriate to complain about EHLO in 
response to RCPT TO.
>
>    An SMTP server MAY verify that the domain name argument in the EHLO
>    command actually corresponds to the IP address of the client.
>    However, if the verification fails, the server MUST NOT refuse to
>    accept a message on that basis.
>
> That “MUST NOT” conflicts with the most important principle we have to 
> go with in order to defend against spam and malware, as clearly stated 
> in Section 7.9:
>
> It is a well-established principle that an SMTP server may refuse to
> accept mail for any operational or technical reason that makes sense
> to the site providing the server.

The MUST NOT exists for the very reason that rejection of messages 
because of EHLO arguments was found to be detrimental to 
interoperability, because too many SMTP servers were conducting 
inappropriate checks.

>
> And so the server chose to reject a message.  I would add that an 
> erratum should be filed to resolve this conflict.

I disagree.   Or at least, I don't think IETF should dismiss the many 
person-decades of experience that went into RFC 5321, based on a single 
assertion by one operator that they found it beneficial to do so.   I do 
think IETF should probably research the matter, but I'm not sure that an 
erratum is appropriate.

> Finally, we cannot CANNOT CANNOT micromanage secretariat and mailing 
> list operations on the IETF list.

I mostly agree, but this is still a red flag.   When the secretariat or 
operators believe they see a need to violate IETF consensus, they should 
at least explain to IESG why they are doing so, and IESG should refer 
the matter to the appropriate area or working group for 
investigation.    Partially because this is potentially valuable 
feedback for IETF standards, but also because it reflects poorly on our 
organization and impairs the perceived value of our standards when we 
refuse to eat our own dog food.

And it should be fine to discuss these things on the IETF list or on an 
appropriate topical IETF mailing list.   But neither the IETF list nor 
an IETF WG should not be trying to issue any kind of immediate 
instructions to IETF operations personnel, unless asked to do so by the 
IESG.

> This does NOT impact open participation, when anyone can get free 
> email service on any number of platforms that work just fine with the 
> IETF.  That this message didn’t meet the extremely low barrier of 
> setting up a PTR record when > 99% of SMTP client connections are best 
> classed as attacks.

As I understand the situation, that wasn't the problem. Messages 
were/are being rejected merely because they used IP address literals in 
EHLO, whether or not there was a PTR record.

> That THAT isn’t recognized as THE problem the IETF should work on with 
> regard to email is disturbing.

To me the disturbing thing is that so many operators feel empowered to 
impose arbitrary and often meaningless checks on email in the name of 
filtering supposed spam, checks that are quite often not backed up by 
careful and continued measurement and appropriate use of statistics.    
But again, this may be due to a failure of IETF to make appropriate 
protocol changes and/or operational recommendations to facilitate more 
accurate spam filtering.    IMO the "operators can do whatever they 
want" idea has degraded interoperability for far too long, but we can't 
really expect operators to do better unless we give them better tools.

Keith

v2.23.0 | Report a Bug | By Email