IETF Logo Mail Archive

Re: IETF Policy on dogfood consumption or avoidance - SMTP version

Viktor Dukhovni <ietf-dane@dukhovni.org> Tue, 17 December 2019 19:24 UTC

Return-Path: <ietf-dane@dukhovni.org>
X-Original-To: ietf@ietfa.amsl.com
Delivered-To: ietf@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 73927120889; Tue, 17 Dec 2019 11:24:51 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.199
X-Spam-Level:
X-Spam-Status: No, score=-4.199 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 3BIm59nmcWZ8; Tue, 17 Dec 2019 11:24:45 -0800 (PST)
Received: from straasha.imrryr.org (straasha.imrryr.org [100.2.39.101]) (using TLSv1.2 with cipher ADH-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 890F012087B; Tue, 17 Dec 2019 11:24:45 -0800 (PST)
Received: from [10.200.2.180] (sdzac10-108-1-nat.nje.twosigma.com [8.2.105.17]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by straasha.imrryr.org (Postfix) with ESMTPSA id 97D745449A; Tue, 17 Dec 2019 14:24:44 -0500 (EST)
Content-Type: text/plain; charset="us-ascii"
Mime-Version: 1.0 (Mac OS X Mail 13.0 \(3608.40.2.2.4\))
Subject: Re: IETF Policy on dogfood consumption or avoidance - SMTP version
From: Viktor Dukhovni <ietf-dane@dukhovni.org>
In-Reply-To: <5DF92645.2090909@isdg.net>
Date: Tue, 17 Dec 2019 14:24:43 -0500
Cc: ietf-smtp@ietf.org
Reply-To: ietf-smtp@ietf.org
Content-Transfer-Encoding: quoted-printable
Message-Id: <E314E2AC-C69C-4828-AD5F-33C0EFD4E0FE@dukhovni.org>
References: <8EE11B75E1F8A7E7105A1573@PSB> <m2a77ttff6.wl-randy@psg.com> <CABL0ig4Wz-0dk7bsRpaN6pni2rHEc-jPnygwed_Hygy+CiehQA@mail.gmail.com> <16306b3a-63bd-621e-636c-dd7626f74733@foobar.org> <DBADBA1F-5F81-4D14-8AF8-5F340F017DAC@ietf.org> <5DF92645.2090909@isdg.net>
To: ietf@ietf.org
X-Mailer: Apple Mail (2.3608.40.2.2.4)
Archived-At: <https://mailarchive.ietf.org/arch/msg/ietf/d0X90jkGqBypEfVWLwfhnD4jNXo>
X-BeenThere: ietf@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: IETF-Discussion <ietf.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ietf>, <mailto:ietf-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ietf/>
List-Post: <mailto:ietf@ietf.org>
List-Help: <mailto:ietf-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ietf>, <mailto:ietf-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 17 Dec 2019 19:24:51 -0000

> On Dec 17, 2019, at 2:02 PM, Hector Santos <hsantos=40isdg.net@dmarc.ietf.org> wrote:
> 
> But here is I see it:
> 
> 1) Yes, everyone agree the response text needs to be fixed up, but
> 
> 2) It is in fact a violation of RFC2821/5321 specification when a rejection is applied by a server to a perfectly valid ip-literal per specification, and

It is not in fact.  A receiving MTA can refuse your email for any reason.
As a matter of RFC-compliance it MUST recognize address literals as
valid syntax (which it did by returning a 550 rather than 500 or 501),
but is then free to reject them on policy grounds.

> 3) It lacks consistency in its operational decision on what Client Mail/Host Names are rejected or accepted.

This is also not true.  It consistently rejects address literals because
doing so carries little risk of false positives (as already explained on
the ietf-smtp list, where the more technical discussion belongs).  "Real"
MTAs use domain names.  It is as simple as that.

> If a rejection is going to apply to ip-literals, hence enforcing a FQDN, then at the very least, it should validate the FQDN.

No, because enough "Real" MTAs use HELO domain names that don't map to
their own IP address, or any address at all.  So the risk of FPs is
too high.

There is no a priori discrimination here, it is all just based on what
one can get away with to reduce spam without blocking a non-trivial
volume of legitimate email.

> The mail.ietg.org servers appears to accept any FQDN including a existing
> FQDN which does not match the connecting IP address and a non-existing FQDNs:

As they must for operational reasons.

> Yet, it does not validate the FQDN. Why?

Because, much as one might want to, too many "Real" MTAs (sending
legitimate traffic) have FQDNs that would fail verification.

-- 
	Viktor.

v2.23.0 | Report a Bug | By Email