IETF Logo Mail Archive

Re: I-D Action:draft-ietf-sieve-notify-mailto-08.txt

Ned Freed <ned.freed@mrochek.com> Mon, 21 July 2008 22:18 UTC

Return-Path: <owner-ietf-mta-filters@mail.imc.org>
X-Original-To: ietfarch-sieve-archive-Aet6aiqu@core3.amsl.com
Delivered-To: ietfarch-sieve-archive-Aet6aiqu@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 141DB3A67E7 for <ietfarch-sieve-archive-Aet6aiqu@core3.amsl.com>; Mon, 21 Jul 2008 15:18:53 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.317
X-Spam-Level:
X-Spam-Status: No, score=-1.317 tagged_above=-999 required=5 tests=[AWL=0.729, BAYES_00=-2.599, HELO_MISMATCH_COM=0.553]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 5fW+-rrVIyAK for <ietfarch-sieve-archive-Aet6aiqu@core3.amsl.com>; Mon, 21 Jul 2008 15:18:52 -0700 (PDT)
Received: from balder-227.proper.com (Balder-227.Proper.COM [192.245.12.227]) by core3.amsl.com (Postfix) with ESMTP id E55F63A6833 for <sieve-archive-Aet6aiqu@ietf.org>; Mon, 21 Jul 2008 15:18:51 -0700 (PDT)
Received: from balder-227.proper.com (localhost [127.0.0.1]) by balder-227.proper.com (8.14.2/8.14.2) with ESMTP id m6LLxxZl074524 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Mon, 21 Jul 2008 14:59:59 -0700 (MST) (envelope-from owner-ietf-mta-filters@mail.imc.org)
Received: (from majordom@localhost) by balder-227.proper.com (8.14.2/8.13.5/Submit) id m6LLxxsb074523; Mon, 21 Jul 2008 14:59:59 -0700 (MST) (envelope-from owner-ietf-mta-filters@mail.imc.org)
X-Authentication-Warning: balder-227.proper.com: majordom set sender to owner-ietf-mta-filters@mail.imc.org using -f
Received: from mauve.mrochek.com (dsl-66-59-230-40.static.linkline.com [66.59.230.40]) by balder-227.proper.com (8.14.2/8.14.2) with ESMTP id m6LLxqiE074513 for <ietf-mta-filters@imc.org>; Mon, 21 Jul 2008 14:59:57 -0700 (MST) (envelope-from ned.freed@mrochek.com)
Received: from dkim-sign.mauve.mrochek.com by mauve.mrochek.com (PMDF V6.1-1 #35243) id <01MXF6PMOF6O00DE8S@mauve.mrochek.com> for ietf-mta-filters@imc.org; Mon, 21 Jul 2008 14:59:50 -0700 (PDT)
Received: from mauve.mrochek.com by mauve.mrochek.com (PMDF V6.1-1 #35243) id <01MXF3GB23JK00007A@mauve.mrochek.com>; Mon, 21 Jul 2008 14:59:48 -0700 (PDT)
DKIM-Signature: a=rsa-sha1; c=nowsp; d=mrochek.com; s=mauve; t=1216677590; h=Date: From:Subject:MIME-version:Content-type; b=kQnRoAlPIUtpXIO1lm8r0ByKm XQBQrem+C7LVKHspiiFH5SaeRoI+wh06v3cjfeFLEuJF1gydmMnEUpE0fjCKQ==
Date: Mon, 21 Jul 2008 14:44:57 -0700
From: Ned Freed <ned.freed@mrochek.com>
Subject: Re: I-D Action:draft-ietf-sieve-notify-mailto-08.txt
In-reply-to: "Your message dated Mon, 21 Jul 2008 16:15:30 -0400" <20080721201530.GA9217@osmium.mv.net>
To: Mark E Mallett <mem@mv.mv.com>
Cc: Barry Leiba <leiba@watson.ibm.com>, ietf-mta-filters@imc.org
Message-id: <01MXF6PLK1XK00007A@mauve.mrochek.com>
MIME-version: 1.0
Content-type: TEXT/PLAIN
Content-transfer-encoding: 7bit
References: <20080709150002.24DB63A6959@core3.amsl.com> <487C931E.9060404@isode.com> <487CB17C.5030406@watson.ibm.com> <20080721201530.GA9217@osmium.mv.net>
Sender: owner-ietf-mta-filters@mail.imc.org
Precedence: bulk
List-Archive: <http://www.imc.org/ietf-mta-filters/mail-archive/>
List-ID: <ietf-mta-filters.imc.org>
List-Unsubscribe: <mailto:ietf-mta-filters-request@imc.org?body=unsubscribe>


> On Tue, Jul 15, 2008 at 10:17:32AM -0400, Barry Leiba wrote:

> > So, everyone: if you consider yourself an active participant, please
> > send a message to this mailing list within the next, say, week, stating
> > (briefly) your position on this.  There's no need for a lot of
> > explanation, because the reasons on both sides are clear.
> >
> > I'm looking for consensus on one of these:
> >
> > 1. Using Auto-Submitted to avoid loops -- and, therefore, the risk of
> > loops if we send notifications for auto-submitted messages -- is
> > sufficiently important that the current "MUST NOT" text should stay.
> >
> > 2. The use cases for notifications on auto-submitted messages are
> > sufficiently important that the text should be changed.  [Please suggest
> > new text, in this case.]
> >
> > 3. "SHOULD NOT" is an acceptable compromise.  The current "MUST NOT"
> > should be changed to "SHOULD NOT", with some added text to explain the
> > danger very clearly.  [In this case, you can suggest text, or I'll craft
> > it.]

> I can't find any camp to be in, but I feel that #2 is closest.

I'm in much the same position.

> I don't
> think that "Auto-Submitted" is a strong indicator of a non-notifiable
> message, and as I've said I can imagine cases where it's just the opposite.

Exactly. One of the main use cases we have for Sieve notify is  in what I
believe they call a "sensitive" environment - not cut off completely from the
rest of the world, but with strict rules about what can and cannot cross
boundaries. Since messages, including various sorts of notifications, cannot
leave this environment, the goal is to generate notifications that basically
say "there's soemthing over here you need to look at" but which never say any
more than that and send those out. (Yes, I'm well aware of the potential for
traffic analysis here, but I'm not the one who designed or specified any off
this.) In this use case it is critically important that all messages be able to
generate such a notification. As for loops, they cannot occur since these
notification messages can only leave, not reenter.

I could describe at least one other use-case where notifications cannot be
blocked by auto-submitted fields, but I think this makes the point.

> I guess that one thing we're trying to work around is the fact that
> systems that are the target of a notification message, and that might
> pass it on to where it loops back around, can't be relied on to pass
> whole headers, and so things like Received counting or looking at (e.g.)
> "Delivered-To" can't be counted on as those fields might get stripped.
> As might the original "Auto-Submitted" field, so this technique either
> relies on this field being preserved, or on one of the downstream notifiers
> or forwarders adding one of their own.  That all strikes me as kind of
> shakey in addition to being a mis-use of this field.

Agreed. FWIW, my suggestion was to add a parameter to auto-submitted that
uniquely identifies the auto-submitter so that that can be checked and loops
detected that way. But this got shot down for some reason I no longer recall.

I also object somewhat to copying Received: fields over that in fact correspond
to hops that a totally different message took. The relationship between the
notification message and the message that triggered it is just too tenuous.
This is a kluge, and IMO not a terribly good one.

> So I feel that it's important to make a note about loop prevention; that
> it's hard to do when it's a possibility that most header fields will get
> stripped; but that that doesn't make using "Auto-Submitted" any more
> palatable.  I wish I had text to propose, other than just a strong note
> that somehow detecting loops should be a priority of the implementor.

I tried writing text for this some time ago. Didn't get anything worth
posting.

> I also think that the "MUST NOT" under discussion is almost certain to
> be violated, so I would vote against that.

Our implementation is definitely one that's going to violate it, although we'll
probabky make the check configurable and have it default "on". We simply don't
have a choice here - too many important customers depend on this capability and
if we don't provide it I'm sure someone else will be happy to.

				Ned

P.S. I'm also quite worried given the reception the Sieve base got in regards
to the looping potential of redirect that this draft is going to receive at
least one DISCUSS vote from the IESG that's going to be very difficult to
satisfy.

v2.23.0 | Report a Bug | By Email