Re: Last Call: draft-ietf-opes-smtp-security (Integrity, privacy and security in OPES for SMTP) to Informational RFC
Frank Ellermann <nobody@xyzzy.claranet.de> Mon, 08 January 2007 20:14 UTC
Received: from [127.0.0.1] (helo=stiedprmman1.va.neustar.com) by megatron.ietf.org with esmtp (Exim 4.43) id 1H40t9-0004K5-DS; Mon, 08 Jan 2007 15:14:35 -0500
Received: from [10.91.34.44] (helo=ietf-mx.ietf.org) by megatron.ietf.org with esmtp (Exim 4.43) id 1H40t8-0004K0-LO for ietf@ietf.org; Mon, 08 Jan 2007 15:14:34 -0500
Received: from main.gmane.org ([80.91.229.2] helo=ciao.gmane.org) by ietf-mx.ietf.org with esmtp (Exim 4.43) id 1H40t7-0001VG-73 for ietf@ietf.org; Mon, 08 Jan 2007 15:14:34 -0500
Received: from list by ciao.gmane.org with local (Exim 4.43) id 1H40t1-0004Ye-OP for ietf@ietf.org; Mon, 08 Jan 2007 21:14:27 +0100
Received: from 212.82.251.141 ([212.82.251.141]) by main.gmane.org with esmtp (Gmexim 0.1 (Debian)) id 1AlnuQ-0007hv-00 for <ietf@ietf.org>; Mon, 08 Jan 2007 21:14:27 +0100
Received: from nobody by 212.82.251.141 with local (Gmexim 0.1 (Debian)) id 1AlnuQ-0007hv-00 for <ietf@ietf.org>; Mon, 08 Jan 2007 21:14:27 +0100
X-Injected-Via-Gmane: http://gmane.org/
To: ietf@ietf.org
From: Frank Ellermann <nobody@xyzzy.claranet.de>
Date: Mon, 08 Jan 2007 21:10:29 +0100
Organization: <URL:http://purl.net/xyzzy>
Lines: 58
Message-ID: <45A2A535.7BF8@xyzzy.claranet.de>
References: <E1H1ksJ-0003tf-E1@stiedprstage1.ietf.org> <45A009C2.7145@xyzzy.claranet.de> <45A0AD88.9000500@cisco.com> <p06240601c1c842ca69cc@[129.46.225.123]>
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
X-Complaints-To: usenet@sea.gmane.org
X-Gmane-NNTP-Posting-Host: 212.82.251.141
X-Mailer: Mozilla 3.0 (OS/2; U)
X-Spam-Score: 1.6 (+)
X-Scan-Signature: 0a7aa2e6e558383d84476dc338324fab
Subject: Re: Last Call: draft-ietf-opes-smtp-security (Integrity, privacy and security in OPES for SMTP) to Informational RFC
X-BeenThere: ietf@ietf.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: IETF-Discussion <ietf.ietf.org>
List-Unsubscribe: <https://www1.ietf.org/mailman/listinfo/ietf>, <mailto:ietf-request@ietf.org?subject=unsubscribe>
List-Post: <mailto:ietf@ietf.org>
List-Help: <mailto:ietf-request@ietf.org?subject=help>
List-Subscribe: <https://www1.ietf.org/mailman/listinfo/ietf>, <mailto:ietf-request@ietf.org?subject=subscribe>
Errors-To: ietf-bounces@ietf.org
Ted Hardie wrote: > I don't think adding explicit interactions with DKIM is appropriate > for this document, If OPES sees the complete message (header + body) it could be used as signer (conceptually somewhere between MSA and mailout) or verifier (between MX and MDA, if it has DNS access). That's no problem. It would be bad if OPES removes or quarantines critical MIME parts needed for a verifier behind OPES. Or if it manipulates parts of the header required for DKIM. Probably an obvious "don't do that", but it's less obvious if something behind OPES (e.g. the MDA) decides to forward or resend the message to a 3rd party. DKIM is designed to survive 1123 5.3.6(a) scenarios. For some purposes OPES has to be as near to the border MX as possible, ideally allowing to reject the mail before it's accepted. For other purposes it has to be as near to the MDA as possible, after it's clear that the mail is not forwarded to a 3rd party. That's a conflict. >> If a mail message was rejected or could not be delivered (and a NDR >> was sent), the originator of the message may want to bypass the OPES >> system that blocked the message. I interpreted that paragraph as "reject (or if that's too late bounce)" with instructions to the originator how to bypasss OPES. And that's in essence the same as C/R. > I have no comment on whether this is "net abuse" A bounce to an unverified (no SPF PASS or similar) Return-Path most probably hits innocent bystanders. That's unsolicited bulk e-mail, the "bulk" part being that it's from a bot, not from a human sender, and some inluding me consider UBE as spam, i.e. net abuse. > you could easily see the mailman spam quarantine system under this > model. Mailman is behind all spam protection systems, DNSBLs, SPF, SA, OPES, SIEVE, and what else. It has a decent chance that most crap including bogus Return-Paths is already filtered before it sends any inquiries to the envelope sender (as specified in RFC 3834). But OPES isn't behind the filters, it is (a part of) the filters. > Can Frank clarify? See above, I wasn't talking about "bypass" actions triggered by the recipient (maybe talking to the sender how to do this), but about any "bypass" proposal in NDRs to forged envelope senders. I never got the OPES idea. Of course folks can do their A/V and SIEVE and SIQ (I-D.irtf-asrg-iar-howe-siq-03) businesss on a separate box, they can even outsource it, but they do this already without OPES. So what's the technical point of OPES wrt mail ? Frank _______________________________________________ Ietf mailing list Ietf@ietf.org https://www1.ietf.org/mailman/listinfo/ietf
- Re: Last Call: draft-ietf-opes-smtp-security (Int… Frank Ellermann
- Re: Last Call: draft-ietf-opes-smtp-security (Int… Eliot Lear
- Re: Last Call: draft-ietf-opes-smtp-security (Int… Ted Hardie
- Re: Last Call: draft-ietf-opes-smtp-security (Int… Frank Ellermann
- Re: Last Call: draft-ietf-opes-smtp-security (Int… Eliot Lear
- Re: Last Call: draft-ietf-opes-smtp-security (Int… Ted Hardie
- Re: Last Call: draft-ietf-opes-smtp-security (Int… Dave Crocker
- RE: Last Call: draft-ietf-opes-smtp-security (Int… Stecher,Martin
- Re: Last Call: draft-ietf-opes-smtp-security (Int… Dave Crocker
- Re: Last Call: draft-ietf-opes-smtp-security (Int… Tony Finch
- Re: Last Call: draft-ietf-opes-smtp-security (Int… Markus Hofmann
- Re: Last Call: draft-ietf-opes-smtp-security (Int… Frank Ellermann
- Re: Last Call: draft-ietf-opes-smtp-security (Int… Barry Leiba
- Re: Last Call: draft-ietf-opes-smtp-security (Int… Douglas Otis
- Re: Last Call: draft-ietf-opes-smtp-security (Int… Dave Crocker
- Re: Last Call: draft-ietf-opes-smtp-security (Int… Markus Hofmann