Comments on draft-freed-sieve-environment-04
Philip Guenther <guenther@sendmail.com> Wed, 19 March 2008 08:22 UTC
Return-Path: <owner-ietf-mta-filters@mail.imc.org>
X-Original-To: ietfarch-sieve-archive-Aet6aiqu@core3.amsl.com
Delivered-To: ietfarch-sieve-archive-Aet6aiqu@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 123EC3A6A9E for <ietfarch-sieve-archive-Aet6aiqu@core3.amsl.com>; Wed, 19 Mar 2008 01:22:34 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.599
X-Spam-Level:
X-Spam-Status: No, score=-2.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id o1A2B0v2+JCq for <ietfarch-sieve-archive-Aet6aiqu@core3.amsl.com>; Wed, 19 Mar 2008 01:22:32 -0700 (PDT)
Received: from balder-227.proper.com (cl-240.ewr-01.us.sixxs.net [IPv6:2001:4830:1200:ef::2]) by core3.amsl.com (Postfix) with ESMTP id 5206C3A67F2 for <sieve-archive-Aet6aiqu@ietf.org>; Wed, 19 Mar 2008 01:22:32 -0700 (PDT)
Received: from balder-227.proper.com (localhost [127.0.0.1]) by balder-227.proper.com (8.14.2/8.14.2) with ESMTP id m2J87GGC067255 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Wed, 19 Mar 2008 01:07:16 -0700 (MST) (envelope-from owner-ietf-mta-filters@mail.imc.org)
Received: (from majordom@localhost) by balder-227.proper.com (8.14.2/8.13.5/Submit) id m2J87GaK067254; Wed, 19 Mar 2008 01:07:16 -0700 (MST) (envelope-from owner-ietf-mta-filters@mail.imc.org)
X-Authentication-Warning: balder-227.proper.com: majordom set sender to owner-ietf-mta-filters@mail.imc.org using -f
Received: from ladle.sendmail.com (ladle.sendmail.com [209.246.26.53]) by balder-227.proper.com (8.14.2/8.14.2) with ESMTP id m2J87F3U067248 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=FAIL) for <ietf-mta-filters@imc.org>; Wed, 19 Mar 2008 01:07:16 -0700 (MST) (envelope-from guenther@sendmail.com)
Received: from spork.sendmail.com (tls.sendmail.com [209.246.26.41]) by ladle.sendmail.com (Switch-3.3.1/Sentrion-3.0.0) with ESMTP id m2J88koF014106 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=FAIL); Wed, 19 Mar 2008 01:08:46 -0700
DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=sendmail.com; s=ladle.dkim; t=1205914126; bh=qh7TiqdvmxROS82e7eDAlir+gglLUzAyaNeh 7ZZ1YWc=; h=Received:X-DKIM:DKIM-Signature:Date:From:X-X-Sender:To: cc:Subject:Message-ID:User-Agent:MIME-Version:Content-Type: X-MM-Ex-RefId; b=oy91Nn/+1z5OM5jOhFKwB7dJMMEWV9xGUdSu0kDscqzrzS901 45faUECqP6YrleChndrFhVEa3cVlJbzhGA18pocJvQ8EcdHAigehChKgU8CuZRn6Fjo dZvhQQLqd/bVUSWiiHOMXPoHos1qG0DviEU9n7/0KKqPXvaaF9OYpSU=
Received: from [192.168.0.2] (adsl-64-58-1-252.mho.net [64.58.1.252] (may be forged)) (authenticated bits=0) by spork.sendmail.com (Switch-3.3.1/Switch-3.3.1) with ESMTP id m2J82xH1028973 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Wed, 19 Mar 2008 01:08:17 -0700
X-DKIM: Sendmail DKIM Filter v2.2.2 spork.sendmail.com m2J82xH1028973
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=sendmail.com; s=spork.dkim; t=1205914099; bh=qh7TiqdvmxROS82e7eDAlir+gglLUzAyaNeh 7ZZ1YWc=; h=Date:From:X-X-Sender:To:cc:Subject:Message-ID: User-Agent:MIME-Version:Content-Type:X-MM-Ex-RefId; b=jmX6Wa5SlJol TK9ntCq4stLG+ETq4f1zgIAVAfk1pgO3n3Ge92p76LfaQj0smPZy04CAKgjiJZyng8a Bm5py4T5hf5LEfkffNTMVuESJJwS4wWC+hhcdC1nsQWNwLdJ6moSoLio2IyaXI5lZqR qHPIUG17RTbVAPpPPq4WznySM=
Date: Wed, 19 Mar 2008 02:01:52 -0600
From: Philip Guenther <guenther@sendmail.com>
X-X-Sender: guenther@vanye.mho.net
To: Ned Freed <ned.freed@mrochek.com>
cc: ietf-mta-filters@imc.org
Subject: Comments on draft-freed-sieve-environment-04
Message-ID: <alpine.BSO.1.00.0803190129540.441@vanye.mho.net>
User-Agent: Alpine 1.00 (BSO 882 2007-12-20)
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset="US-ASCII"; format="flowed"
X-MM-Ex-RefId: 149371::080319010818-0E88FB90-527599E9/0-0/0-1
Sender: owner-ietf-mta-filters@mail.imc.org
Precedence: bulk
List-Archive: <http://www.imc.org/ietf-mta-filters/mail-archive/>
List-ID: <ietf-mta-filters.imc.org>
List-Unsubscribe: <mailto:ietf-mta-filters-request@imc.org?body=unsubscribe>
If the SMTP session was over IPv6, what should the "remote-ip" environment item be set to? Perhaps there should be a prefix on the value that indicates the address family, or it should be formatted like the 'host' part of URI? Note that the obvious test of environment :matches "remote-ip" "*.*.*.*" will match an IPv6 address literal if the implementation uses the x:x:x:x:x:x:d.d.d.d form, such as with the IPv4 compat addresses, ala "::FFFF:1.2.3.4". (Yes, this thought was triggered by the "IPv6-only" experiment during the IETF technical plenary.) There probably should be a security consideration that explains that the value of the "remote-host" item may be controlled by an untrusted source. For example, the test environment :matches "remote-host" "*.mydomain.com" is *not* a good way to test whether the message came from 'outside' unless the implementation there's some sort of IP->host->IP consistency check made. (The sendmail MTA faced the above issues some time ago for the pre-defined variables it provides to its rulesets. To quote the sendmail operations guide, it defined variables as follows: ${client_addr} The IP address of the SMTP client. IPv6 addresses are tagged with "IPv6:" before the address. Defined in the SMTP server only. ${client_name} The host name of the SMTP client. This may be the client's bracketed IP address in the form [ nnn.nnn.nnn.nnn ] for IPv4 and [ IPv6:nnnn:...:nnnn ] for IPv6 if the client's IP address is not resolvable, or if it is resolvable but the IP address of the resolved hostname doesn't match the original IP address. Defined in the SMTP server only. See also ${client_resolve}. ${client_ptr} The result of the PTR lookup for the client IP address. Note: this is the same as ${client_name} if and only if ${client_resolve} is OK. Defined in the SMTP server only. ${client_resolve} Holds the result of the resolve call for ${client_name}. Possible values are: OK resolved successfully FAIL permanent lookup failure FORGED forward lookup doesn't match reverse lookup TEMP temporary lookup failure Defined in the SMTP server only. sendmail performs a hostname lookup on the IP address of the connecting client. Next the IP addresses of that hostname are looked up. If the client IP address does not appear in that list, then the hostname is maybe forged. This is reflected as the value FORGED for ${client_resolve} and it also shows up in $_ as "(may be forged)". While client_ptr and client_resolve are probably overkill for the sieve environment extension, the tagging in client_addr and precise definition of when client_name contains a name and not an address literal seem like practical guidance in this area.) Philip Guenther
- Comments on draft-freed-sieve-environment-04 Philip Guenther
- Re: Comments on draft-freed-sieve-environment-04 Ned Freed
- Re: Comments on draft-freed-sieve-environment-04 Philip Guenther
- Re: Comments on draft-freed-sieve-environment-04 Alexey Melnikov
- Re: Comments on draft-freed-sieve-environment-04 Kjetil Torgrim Homme
- Re: Comments on draft-freed-sieve-environment-04 Ned Freed
- Re: Comments on draft-freed-sieve-environment-04 Kjetil Torgrim Homme
- Re: Comments on draft-freed-sieve-environment-04 Ned Freed