Re: IETF Policy on dogfood consumption or avoidance - SMTP version
Viktor Dukhovni <ietf-dane@dukhovni.org> Sun, 15 December 2019 22:54 UTC
Return-Path: <ietf-dane@dukhovni.org>
X-Original-To: ietf@ietfa.amsl.com
Delivered-To: ietf@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 41CB812002E for <ietf@ietfa.amsl.com>; Sun, 15 Dec 2019 14:54:36 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.199
X-Spam-Level:
X-Spam-Status: No, score=-4.199 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id GUbu0LcTIl-h for <ietf@ietfa.amsl.com>; Sun, 15 Dec 2019 14:54:33 -0800 (PST)
Received: from straasha.imrryr.org (straasha.imrryr.org [100.2.39.101]) (using TLSv1.2 with cipher ADH-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 7FD0E120013 for <ietf@ietf.org>; Sun, 15 Dec 2019 14:54:33 -0800 (PST)
Received: by straasha.imrryr.org (Postfix, from userid 1001) id E1EB44E54E; Sun, 15 Dec 2019 17:54:32 -0500 (EST)
Date: Sun, 15 Dec 2019 17:54:32 -0500
From: Viktor Dukhovni <ietf-dane@dukhovni.org>
To: ietf@ietf.org
Subject: Re: IETF Policy on dogfood consumption or avoidance - SMTP version
Message-ID: <20191215225432.GC11489@straasha.imrryr.org>
Reply-To: ietf@ietf.org
References: <8EE11B75E1F8A7E7105A1573@PSB> <m2a77ttff6.wl-randy@psg.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Disposition: inline
In-Reply-To: <m2a77ttff6.wl-randy@psg.com>
User-Agent: Mutt/1.12.2 (2019-09-21)
Archived-At: <https://mailarchive.ietf.org/arch/msg/ietf/dEK28U_ekKKlkX2sONgjDdJvGGQ>
X-BeenThere: ietf@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: IETF-Discussion <ietf.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ietf>, <mailto:ietf-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ietf/>
List-Post: <mailto:ietf@ietf.org>
List-Help: <mailto:ietf-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ietf>, <mailto:ietf-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 15 Dec 2019 22:54:36 -0000
On Sun, Dec 15, 2019 at 02:03:25PM -0800, Randy Bush wrote: > I gotta ask two technical questions. > > o would it be technically easy for the smtp servers to accept ip > literals in a conforming manner? yes, this is a question for my > esteemed friend glen and his partner in crime, matt. Since the servers in question run Postfix, I feel I am well placed to answer that question with a "yes". Indeed Postfix accepts IP address literals in helo names by default. Even when Postfix is configured to reject non-FQDN forms: http://www.postfix.org/postconf.5.html#reject_non_fqdn_helo_hostname Reject the request when the HELO or EHLO hostname is not in fully-qualified domain or address literal form, as required by the RFC. address literals are still accepted. It takes some effort to get Postfix to reject address literals, the administrator would have to implement a custom regular expression table, to accept some and reject other HELO name forms. For example: main.cf: smtpd_helo_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_non_fqdn_helo_hostname, check_helo_access pcre:${config_directory}/helo.pcre helo.pcre: /^\[/ REJECT Address literals not welcome here > o what would the technical and/or security exposure or other > downside(s) be of doing so? Use of address literals is not common among carefully configured, well-maintained Internet-facing outbound relay MTAs. There is likely some positive correlation between address-literal use and generally sloppy MTA configuration, which might open said MTAs to abuse. That said, I personally doubt that use of address literals is a high-quality signal that distinguishes legitimate MTAs from abuse sources. It is merely a small indicator that the sending MTA is not up to best-practice. Keeping out junk is unavoidably a balancing act of trade-offs, some legitimate traffic is liable to get blocked. The key question with any approach one takes is whether it is sufficiently effective (how much junk is blocked) and whether the FP rate is low enough. -- Viktor. P.S. In my own Postfix configuration, I see: /^[\d.]+$/ 550 Your software is not RFC 2821 compliant which blocks "HELO 192.0.2.1", but not "HELO [192.0.2.1]". It could have been more precise to match only dotted quads. /^(?:\d+\.){3}\d+$/ 550 Your software is not RFC 2821 compliant Perhaps somewhere along the way, someone came up with a variant that does block address literals, whether deliberately or by accident.
- Re: IETF Policy on dogfood consumption or avoidan… Valdis Kl=?utf-8?Q?=c4=93?=tnieks
- IETF Policy on dogfood consumption or avoidance -… John C Klensin
- Re: IETF Policy on dogfood consumption or avoidan… Viktor Dukhovni
- Re: IETF Policy on dogfood consumption or avoidan… Randy Bush
- Re: IETF Policy on dogfood consumption or avoidan… John Levine
- Re: IETF Policy on dogfood consumption or avoidan… Viktor Dukhovni
- Re: IETF Policy on dogfood consumption or avoidan… Nick Hilliard
- Re: IETF Policy on dogfood consumption or avoidan… Keith Moore
- Re: IETF Policy on dogfood consumption or avoidan… John C Klensin
- Re: IETF Policy on dogfood consumption or avoidan… Viktor Dukhovni
- Re: IETF Policy on dogfood consumption or avoidan… Salz, Rich
- Re: IETF Policy on dogfood consumption or avoidan… Keith Moore
- Re: IETF Policy on dogfood consumption or avoidan… Valdis Kl=?utf-8?Q?=c4=93?=tnieks
- Re: IETF Policy on dogfood consumption or avoidan… John R Levine
- Re: IETF Policy on dogfood consumption or avoidan… Randy Bush
- Re: IETF Policy on dogfood consumption or avoidan… John C Klensin
- Re: IETF Policy on dogfood consumption or avoidan… Keith Moore
- Re: IETF Policy on dogfood consumption or avoidan… Nick Hilliard
- Re: IETF Policy on dogfood consumption or avoidan… S Moonesamy
- Re: IETF Policy on dogfood consumption or avoidan… Glen
- Re: IETF Policy on dogfood consumption or avoidan… Nick Hilliard
- Re: IETF Policy on dogfood consumption or avoidan… Phillip Hallam-Baker
- Re: IETF Policy on dogfood consumption or avoidan… Glen
- Re: IETF Policy on dogfood consumption or avoidan… Viktor Dukhovni
- Re: IETF Policy on dogfood consumption or avoidan… Andrew G. Malis
- Re: IETF Policy on dogfood consumption or avoidan… John C Klensin
- Re: IETF Policy on dogfood consumption or avoidan… Andrew G. Malis
- Re: IETF Policy on dogfood consumption or avoidan… Randy Bush
- Re: IETF Policy on dogfood consumption or avoidan… Jay Daley
- Re: IETF Policy on dogfood consumption or avoidan… Andrew G. Malis
- Re: IETF Policy on dogfood consumption or avoidan… Jay Daley
- Re: IETF Policy on dogfood consumption or avoidan… Rob Sayre
- Re: IETF Policy on dogfood consumption or avoidan… John C Klensin
- Re: IETF Policy on dogfood consumption or avoidan… Salz, Rich
- Re: IETF Policy on dogfood consumption or avoidan… Alissa Cooper
- Re: IETF Policy on dogfood consumption or avoidan… Jay Daley
- Re: IETF Policy on dogfood consumption or avoidan… Hector Santos
- Re: IETF Policy on dogfood consumption or avoidan… Viktor Dukhovni
- Re: IETF Policy on dogfood consumption or avoidan… Brian E Carpenter
- Re: [ietf-smtp] IETF Policy on dogfood consumptio… Hector Santos
- Re: [ietf-smtp] IETF Policy on dogfood consumptio… Salz, Rich
- Re: [ietf-smtp] IETF Policy on dogfood consumptio… Keith Moore
- Re: [ietf-smtp] the inedible parts of IETF dogfoo… John Levine
- Re: [ietf-smtp] the inedible parts of IETF dogfoo… Keith Moore
- Re: [ietf-smtp] the inedible parts of IETF dogfoo… George Michaelson
- Re: [ietf-smtp] IETF Policy on dogfood consumptio… Randy Bush
- Re: [ietf-smtp] IETF Policy on dogfood consumptio… Hector Santos
- Re: [ietf-smtp] IETF Policy on dogfood consumptio… Hector Santos
- Re: IETF Policy on dogfood consumption or avoidan… John C Klensin
- Re: IETF Policy on dogfood consumption or avoidan… Eliot Lear
- Re: IETF Policy on dogfood consumption or avoidan… Alissa Cooper
- Re: [ietf-smtp] epostage is still a bad idea, the… John R Levine
- Re: [ietf-smtp] IETF Policy on dogfood consumptio… Salz, Rich
- Re: [ietf-smtp] epostage is still a bad idea, the… Phillip Hallam-Baker
- Re: IETF Policy on dogfood consumption or avoidan… Keith Moore
- Re: IETF Policy on dogfood consumption or avoidan… Hector Santos
- Re: IETF Policy on dogfood consumption or avoidan… John C Klensin
- Re: IETF Policy on dogfood consumption or avoidan… Eliot Lear
- Re: IETF Policy on dogfood consumption or avoidan… Alessandro Vesely
- Re: IETF Policy on dogfood consumption or avoidan… Viktor Dukhovni
- Re: IETF Policy on dogfood consumption or avoidan… Eliot Lear
- Re: IETF Policy on dogfood consumption or avoidan… Hector Santos
- Re: [ietf-smtp] epostage is still a bad idea, the… Brandon Long
- Re: [ietf-smtp] epostage is still a bad idea, the… Phillip Hallam-Baker
- Re: IETF Policy on dogfood consumption or avoidan… Valdis Kl=?utf-8?Q?=c4=93?=tnieks
- Re: IETF Policy on dogfood consumption or avoidan… Hector Santos
- The dogfood discussion (was: Re: IETF Policy on d… John C Klensin
- Re: The dogfood discussion (was: Re: IETF Policy … Viktor Dukhovni
- Re: The dogfood discussion (was: Re: IETF Policy … Eliot Lear (elear)