Re: [secdir] Review of draft-freed-sieve-notary-07

Alexey Melnikov <alexey.melnikov@isode.com> Wed, 21 April 2010 16:33 UTC

Return-Path: <alexey.melnikov@isode.com>
X-Original-To: secdir@core3.amsl.com
Delivered-To: secdir@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 41F9728C4AD; Wed, 21 Apr 2010 09:33:37 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.404
X-Spam-Level:
X-Spam-Status: No, score=-2.404 tagged_above=-999 required=5 tests=[AWL=0.195, BAYES_00=-2.599]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id lmMrvooW5XUi; Wed, 21 Apr 2010 09:33:36 -0700 (PDT)
Received: from rufus.isode.com (rufus.isode.com [62.3.217.251]) by core3.amsl.com (Postfix) with ESMTP id C19C73A6D25; Wed, 21 Apr 2010 09:05:44 -0700 (PDT)
Received: from [172.16.2.144] (shiny.isode.com [62.3.217.250]) by rufus.isode.com (submission channel) via TCP with ESMTPA id <S88iTQBHTqZ8@rufus.isode.com>; Wed, 21 Apr 2010 17:05:34 +0100
Message-ID: <4BCF2247.5040107@isode.com>
Date: Wed, 21 Apr 2010 17:05:27 +0100
From: Alexey Melnikov <alexey.melnikov@isode.com>
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7.12) Gecko/20050915
X-Accept-Language: en-us, en
To: Tero Kivinen <kivinen@iki.fi>
References: <19396.29206.787824.69029@fireball.kivinen.iki.fi>
In-Reply-To: <19396.29206.787824.69029@fireball.kivinen.iki.fi>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii; format=flowed
Content-Transfer-Encoding: 7bit
Cc: Cyrus Daboo <cyrus@daboo.name>, Ned Freed <ned.freed@mrochek.com>, iesg@ietf.org, secdir@ietf.org
Subject: Re: [secdir] Review of draft-freed-sieve-notary-07
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Security Area Directorate <secdir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/secdir>
List-Post: <mailto:secdir@ietf.org>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 21 Apr 2010 16:33:37 -0000

Hi Tero,

Tero Kivinen wrote:

>I have reviewed this document as part of the security directorate's 
>ongoing effort to review all IETF documents being processed by the 
>IESG.  These comments were written primarily for the benefit of the 
>security area directors.  Document editors and WG chairs should treat 
>these comments just like any other last call comments.
>
>This draft provides two things. Firstly it will provide ability for
>sieve email filtering program to see the delivery status notification
>and deliver by information from the envelope. Secondly it allows
>setting those same parameters when using sieve redirect action.
>
>The first part does not have security issues, but the second might
>have, as it causes delivery notify emails to be sent which were not
>originally requested by the original author.
>
>This can cause problems for the original sender, as he is now getting
>the deliver status notifications which he has not requested. The draft
>does not explictly specify, but I do assume that the sieve redirect
>keeps the original sender intact, so the deliver status notification
>messages are sent to the original author, not to the user doing the
>redirect.
>  
>
The answer to your question is "it depends on an implementation". The 
redirect action is defined in section 4.2 of RFC 5228, which says:

   The envelope sender address on the outgoing message is chosen by the
   sieve implementation.  It MAY be copied from the message being
   processed.  However, if the message being processed has an empty
   envelope sender address the outgoing message MUST also have an empty
   envelope sender address.  This last requirement is imposed to prevent
   loops in the case where a message is redirected to an invalid address
   when then returns a delivery status notification that also ends up
   being redirected to the same invalid address.


>The number of delivery status notifications can be quite large,
>especially if the ":bytrace" option of the redirect is used, as then
>every single future step for email processing, will send "relayed"
>status notification, and if there is for example mail loop or similar,
>this can be several dozen of status notifications.
>
Can you clarify what do you mean by "every single future step for email 
processing"?

My recollection is that for any given SMTP path from a sender to a 
recipient only a single "relay" DSN can be generated.

>This should most likely be mentioned in the security considerations
>section more clearly. The security considerations section do warn
>about generating status notification, and says that
>
>  "Sites which limit the ability to request success notifications will
>   also need to restrict the ability to request them using the
>   redirect-dsn extension."
>
>but that does not help at all, as if the original senders site limits
>the ability to request notifications, the host running sieve email
>filter of the receiver might not have such restrictions, thus receiver
>can enable them even when they were forbidden from the sender.
>  
>