Re: [secdir] Review of draft-freed-sieve-notary-07

Tero Kivinen <kivinen@iki.fi> Thu, 22 April 2010 09:14 UTC

Return-Path: <kivinen@iki.fi>
X-Original-To: secdir@core3.amsl.com
Delivered-To: secdir@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 0A4BC3A6A51; Thu, 22 Apr 2010 02:14:14 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.02
X-Spam-Level:
X-Spam-Status: No, score=-1.02 tagged_above=-999 required=5 tests=[AWL=-0.835, BAYES_40=-0.185]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id t7eonpC-hu-V; Thu, 22 Apr 2010 02:14:05 -0700 (PDT)
Received: from mail.kivinen.iki.fi (fireball.acr.fi [83.145.195.1]) by core3.amsl.com (Postfix) with ESMTP id 8A05F3A6A24; Thu, 22 Apr 2010 02:14:02 -0700 (PDT)
Received: from fireball.kivinen.iki.fi (localhost [127.0.0.1]) by mail.kivinen.iki.fi (8.14.3/8.14.3) with ESMTP id o3M9DiUF020564 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Thu, 22 Apr 2010 12:13:44 +0300 (EEST)
Received: (from kivinen@localhost) by fireball.kivinen.iki.fi (8.14.3/8.12.11) id o3M9DgIW024619; Thu, 22 Apr 2010 12:13:42 +0300 (EEST)
X-Authentication-Warning: fireball.kivinen.iki.fi: kivinen set sender to kivinen@iki.fi using -f
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Message-ID: <19408.4934.51757.287355@fireball.kivinen.iki.fi>
Date: Thu, 22 Apr 2010 12:13:42 +0300
From: Tero Kivinen <kivinen@iki.fi>
To: Alexey Melnikov <alexey.melnikov@isode.com>
In-Reply-To: <4BCF2247.5040107@isode.com>
References: <19396.29206.787824.69029@fireball.kivinen.iki.fi> <4BCF2247.5040107@isode.com>
X-Mailer: VM 7.19 under Emacs 21.4.1
X-Edit-Time: 14 min
X-Total-Time: 15 min
Cc: Cyrus Daboo <cyrus@daboo.name>, Ned Freed <ned.freed@mrochek.com>, iesg@ietf.org, secdir@ietf.org
Subject: Re: [secdir] Review of draft-freed-sieve-notary-07
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Security Area Directorate <secdir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/secdir>
List-Post: <mailto:secdir@ietf.org>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 22 Apr 2010 09:14:15 -0000

Alexey Melnikov writes:
> The answer to your question is "it depends on an implementation". The 
> redirect action is defined in section 4.2 of RFC 5228, which says:
> 
>    The envelope sender address on the outgoing message is chosen by the
>    sieve implementation.  It MAY be copied from the message being
>    processed.  However, if the message being processed has an empty
>    envelope sender address the outgoing message MUST also have an empty
>    envelope sender address.  This last requirement is imposed to prevent
>    loops in the case where a message is redirected to an invalid address
>    when then returns a delivery status notification that also ends up
>    being redirected to the same invalid address.

Ok. Then it might be good idea to mention this also in this document,
as it affects where the status notifications are going to, i.e. if
user decides he wants to request status notifications, he does not
know whether it goes to the original author or to his own address.

> >The number of delivery status notifications can be quite large,
> >especially if the ":bytrace" option of the redirect is used, as then
> >every single future step for email processing, will send "relayed"
> >status notification, and if there is for example mail loop or similar,
> >this can be several dozen of status notifications.
> >
> Can you clarify what do you mean by "every single future step for email 
> processing"?
> 
> My recollection is that for any given SMTP path from a sender to a 
> recipient only a single "relay" DSN can be generated.

No. If I send email from my home machine to kivinen@iki.fi address,
and use the trace option of DELIVERYBY feature I will get one status
notification when my local machine takes email in and relays it to
iki.fi mail server. Then I get another status notification when the
iki.fi email-server gets message in and forwards it to iki.fi-spam
filter (this setting is per user setting and the spam processing is
done on the other machine). Then I get next one when the spam filter
machine is done running the spamassasin and forwards that email to my
real end delivery address (which in my case happens to be my home
machine kivinen.iki.fi). Then when my home machine gets the email
again now with envelope receiver of kivinen@kivinen.iki.fi (as
rewritten by the iki.fi machines) it will send me the fourth trace
message.

So every single machine which relays the email sends the status
notification saying the email was relayed.

Now when I noticed there is such feature, I have found it quite useful
when debugging email problems.

I am one of the maintainers of the iki.fi, which provides permanent
email forwarding services, and quite often our members complain that
their emails does not get through, and now I have easy way of sending
one email with trace option and I can see from DSNs that the email
goes through iki.fi machines without delays and problems, and that the
email was delivered to the members next step machine (which usually
does not enable DELIVERYBY so I do not get any further reports).

So if someone enables trace option in the middle and then redirects
the email to forward then there might be several of those relayed
status notifications sent to either to the original author or to the
one running the sieve (depending which envelope sender the sieve
implementation used).

> >This should most likely be mentioned in the security considerations
> >section more clearly. The security considerations section do warn
> >about generating status notification, and says that
> >
> >  "Sites which limit the ability to request success notifications will
> >   also need to restrict the ability to request them using the
> >   redirect-dsn extension."
> >
> >but that does not help at all, as if the original senders site limits
> >the ability to request notifications, the host running sieve email
> >filter of the receiver might not have such restrictions, thus receiver
> >can enable them even when they were forbidden from the sender.

Ok, now this also makes bit more sense, as if the sieve implmentation
decides to rewrite the envelope sender then this restriction is
appropriate, but if it does not rewrite the envelope sender, then it
does not help, as the machine running sieve might not know the policy
required by the original senders machine, i.e. whether the original
sender was allowed to request those status notifications or not.
-- 
kivinen@iki.fi