IETF Logo Mail Archive

Re: IETF Policy on dogfood consumption or avoidance - SMTP version

Viktor Dukhovni <ietf-dane@dukhovni.org> Sun, 15 December 2019 22:54 UTC

Return-Path: <ietf-dane@dukhovni.org>
X-Original-To: ietf@ietfa.amsl.com
Delivered-To: ietf@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 41CB812002E for <ietf@ietfa.amsl.com>; Sun, 15 Dec 2019 14:54:36 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.199
X-Spam-Level:
X-Spam-Status: No, score=-4.199 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id GUbu0LcTIl-h for <ietf@ietfa.amsl.com>; Sun, 15 Dec 2019 14:54:33 -0800 (PST)
Received: from straasha.imrryr.org (straasha.imrryr.org [100.2.39.101]) (using TLSv1.2 with cipher ADH-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 7FD0E120013 for <ietf@ietf.org>; Sun, 15 Dec 2019 14:54:33 -0800 (PST)
Received: by straasha.imrryr.org (Postfix, from userid 1001) id E1EB44E54E; Sun, 15 Dec 2019 17:54:32 -0500 (EST)
Date: Sun, 15 Dec 2019 17:54:32 -0500
From: Viktor Dukhovni <ietf-dane@dukhovni.org>
To: ietf@ietf.org
Subject: Re: IETF Policy on dogfood consumption or avoidance - SMTP version
Message-ID: <20191215225432.GC11489@straasha.imrryr.org>
Reply-To: ietf@ietf.org
References: <8EE11B75E1F8A7E7105A1573@PSB> <m2a77ttff6.wl-randy@psg.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Disposition: inline
In-Reply-To: <m2a77ttff6.wl-randy@psg.com>
User-Agent: Mutt/1.12.2 (2019-09-21)
Archived-At: <https://mailarchive.ietf.org/arch/msg/ietf/dEK28U_ekKKlkX2sONgjDdJvGGQ>
X-BeenThere: ietf@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: IETF-Discussion <ietf.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ietf>, <mailto:ietf-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ietf/>
List-Post: <mailto:ietf@ietf.org>
List-Help: <mailto:ietf-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ietf>, <mailto:ietf-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 15 Dec 2019 22:54:36 -0000

On Sun, Dec 15, 2019 at 02:03:25PM -0800, Randy Bush wrote:

> I gotta ask two technical questions.
> 
>   o would it be technically easy for the smtp servers to accept ip
>     literals in a conforming manner?  yes, this is a question for my
>     esteemed friend glen and his partner in crime, matt.

Since the servers in question run Postfix, I feel I am well placed to
answer that question with a "yes".  Indeed Postfix accepts IP address
literals in helo names by default.  Even when Postfix is configured
to reject non-FQDN forms:

    http://www.postfix.org/postconf.5.html#reject_non_fqdn_helo_hostname

    Reject the request when the HELO or EHLO hostname is not in
    fully-qualified domain or address literal form, as required by the
    RFC.

address literals are still accepted.

It takes some effort to get Postfix to reject address literals, the
administrator would have to implement a custom regular expression table,
to accept some and reject other HELO name forms.  For example:

  main.cf:
    smtpd_helo_restrictions =
        permit_mynetworks,
        permit_sasl_authenticated,
        reject_non_fqdn_helo_hostname,
        check_helo_access pcre:${config_directory}/helo.pcre

  helo.pcre:
    /^\[/   REJECT Address literals not welcome here


>   o what would the technical and/or security exposure or other
>     downside(s) be of doing so?

Use of address literals is not common among carefully configured,
well-maintained Internet-facing outbound relay MTAs.  There is likely
some positive correlation between address-literal use and generally
sloppy MTA configuration, which might open said MTAs to abuse.

That said, I personally doubt that use of address literals is a
high-quality signal that distinguishes legitimate MTAs from abuse
sources.  It is merely a small indicator that the sending MTA is
not up to best-practice.

Keeping out junk is unavoidably a balancing act of trade-offs, some
legitimate traffic is liable to get blocked.  The key question with
any approach one takes is whether it is sufficiently effective (how
much junk is blocked) and whether the FP rate is low enough.

-- 
    Viktor.

P.S.

In my own Postfix configuration, I see:

    /^[\d.]+$/  550 Your software is not RFC 2821 compliant

which blocks "HELO 192.0.2.1", but not "HELO [192.0.2.1]".  It could
have been more precise to match only dotted quads.

    /^(?:\d+\.){3}\d+$/ 550 Your software is not RFC 2821 compliant

Perhaps somewhere along the way, someone came up with a variant
that does block address literals, whether deliberately or by
accident.

v2.23.0 | Report a Bug | By Email