Re: Comments on draft-freed-sieve-environment-04
Alexey Melnikov <alexey.melnikov@isode.com> Tue, 25 March 2008 10:47 UTC
Return-Path: <owner-ietf-mta-filters@mail.imc.org>
X-Original-To: ietfarch-sieve-archive-Aet6aiqu@core3.amsl.com
Delivered-To: ietfarch-sieve-archive-Aet6aiqu@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id EBDCF28C473 for <ietfarch-sieve-archive-Aet6aiqu@core3.amsl.com>; Tue, 25 Mar 2008 03:47:38 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.029
X-Spam-Level:
X-Spam-Status: No, score=-1.029 tagged_above=-999 required=5 tests=[AWL=0.578, BAYES_00=-2.599, DATE_IN_PAST_12_24=0.992]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id u305YmH9xVrj for <ietfarch-sieve-archive-Aet6aiqu@core3.amsl.com>; Tue, 25 Mar 2008 03:47:34 -0700 (PDT)
Received: from balder-227.proper.com (cl-240.ewr-01.us.sixxs.net [IPv6:2001:4830:1200:ef::2]) by core3.amsl.com (Postfix) with ESMTP id 4F8FF3A6EC9 for <sieve-archive-Aet6aiqu@ietf.org>; Tue, 25 Mar 2008 03:47:34 -0700 (PDT)
Received: from balder-227.proper.com (localhost [127.0.0.1]) by balder-227.proper.com (8.14.2/8.14.2) with ESMTP id m2PAZGRw098321 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Tue, 25 Mar 2008 03:35:16 -0700 (MST) (envelope-from owner-ietf-mta-filters@mail.imc.org)
Received: (from majordom@localhost) by balder-227.proper.com (8.14.2/8.13.5/Submit) id m2PAZGa0098320; Tue, 25 Mar 2008 03:35:16 -0700 (MST) (envelope-from owner-ietf-mta-filters@mail.imc.org)
X-Authentication-Warning: balder-227.proper.com: majordom set sender to owner-ietf-mta-filters@mail.imc.org using -f
Received: from rufus.isode.com (rufus.isode.com [62.3.217.251]) by balder-227.proper.com (8.14.2/8.14.2) with ESMTP id m2PAZDVi098310 for <ietf-mta-filters@imc.org>; Tue, 25 Mar 2008 03:35:14 -0700 (MST) (envelope-from alexey.melnikov@isode.com)
Received: from [172.16.1.99] (shiny.isode.com [62.3.217.250]) by rufus.isode.com (submission channel) via TCP with ESMTPA id <R-jVXgBh6Mda@rufus.isode.com>; Tue, 25 Mar 2008 10:35:12 +0000
Message-ID: <47E818AE.1000901@isode.com>
Date: Mon, 24 Mar 2008 21:10:06 +0000
From: Alexey Melnikov <alexey.melnikov@isode.com>
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7.12) Gecko/20050915
X-Accept-Language: en-us, en
To: Ned Freed <ned.freed@mrochek.com>
CC: Philip Guenther <guenther@sendmail.com>, ietf-mta-filters@imc.org
Subject: Re: Comments on draft-freed-sieve-environment-04
References: <alpine.BSO.1.00.0803190129540.441@vanye.mho.net> <01MSRCK0MPHS00005Q@mauve.mrochek.com>
In-Reply-To: <01MSRCK0MPHS00005Q@mauve.mrochek.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="ISO-8859-1"; format="flowed"
Content-Transfer-Encoding: 7bit
Sender: owner-ietf-mta-filters@mail.imc.org
Precedence: bulk
List-Archive: <http://www.imc.org/ietf-mta-filters/mail-archive/>
List-ID: <ietf-mta-filters.imc.org>
List-Unsubscribe: <mailto:ietf-mta-filters-request@imc.org?body=unsubscribe>
(Speaking as an individual contributor.) Ned Freed wrote: >> Perhaps there should be a prefix on the value that indicates the >> address family, or it should be formatted like the 'host' >> part of URI? > >> Note that the obvious test of >> environment :matches "remote-ip" "*.*.*.*" > >> will match an IPv6 address literal if the implementation uses the >> x:x:x:x:x:x:d.d.d.d >> form, such as with the IPv4 compat addresses, ala "::FFFF:1.2.3.4". > >> (Yes, this thought was triggered by the "IPv6-only" experiment during >> the >> IETF technical plenary.) > > Well, I certainly hope that for any given address there's exactly one > way it > will end up being represented. If that's not the case then there's a > major > problem that goes far beyond this specific issue. > > There's also the issue of how any future sort of address should be > handled. > Since RFC 2821 has already had to deal with this I think the best way > to handle > it is by referring to the formats defined there. I currently have: > > "remote-ip" > => IP address of remote SMTP/LMTP/Submission client, if > applicable and available. IPv4, IPv6, and other types of > addresses are respectively represented in the formats > defined by the IPv4-address-literal, IPv6-address-literal, > and General-address-literal productions defined in > [RFC 2821] section 4.1.3. As a side note, I think RFC 2821 IPv6 format sucks, because it doesn't match what socket functions return on various OSes. (RFC 2821 uses "IPv6:" prefix). But it is too late to fix that. So, under the circumstances, your proposal is quite reasonable. >> There probably should be a security consideration that explains that the >> value of the "remote-host" item may be controlled by an untrusted >> source. >> For example, the test >> environment :matches "remote-host" "*.mydomain.com" > >> is *not* a good way to test whether the message came from 'outside' >> unless >> the implementation there's some sort of IP->host->IP consistency check >> made. > > Also a good point. I have added: > > The remote-host environment item defined in this specification is > usually > determined by performing a PTR DNS lookup on the client IP address. This > information may come from an untrusted source. For example, the test: > > if environment :matches "remote-host" "*.mydomain.com" { ... } > > is not a good way to test whether the message came from 'outside' becaus typo: because > anyone who can create a PTR record can create one that refers to > whatever > domain they choose. The text looks good to me. >> (The sendmail MTA faced the above issues some time ago for the >> pre-defined >> variables it provides to its rulesets. To quote the sendmail operations >> guide, it defined variables as follows: >> ${client_addr} >> The IP address of the SMTP client. IPv6 >> addresses are tagged with "IPv6:" before the >> address. Defined in the SMTP server only. > >> ${client_name} >> The host name of the SMTP client. This may be >> the client's bracketed IP address in the form [ >> nnn.nnn.nnn.nnn ] for IPv4 and [ >> IPv6:nnnn:...:nnnn ] for IPv6 if the client's IP >> address is not resolvable, or if it is resolvable >> but the IP address of the resolved hostname >> doesn't match the original IP address. Defined >> in the SMTP server only. See also >> ${client_resolve}. > > I think a simpler way to handle this is to say that the name will > be blank if it cannot be resolved into a host name. How about: I like that. > "remote-host" > => Host name of remote SMTP/LMTP/Submission client, if > applicable and available. The empty string will be returned > if for some reason this information cannot be obtained for > the current client.
- Comments on draft-freed-sieve-environment-04 Philip Guenther
- Re: Comments on draft-freed-sieve-environment-04 Ned Freed
- Re: Comments on draft-freed-sieve-environment-04 Philip Guenther
- Re: Comments on draft-freed-sieve-environment-04 Alexey Melnikov
- Re: Comments on draft-freed-sieve-environment-04 Kjetil Torgrim Homme
- Re: Comments on draft-freed-sieve-environment-04 Ned Freed
- Re: Comments on draft-freed-sieve-environment-04 Kjetil Torgrim Homme
- Re: Comments on draft-freed-sieve-environment-04 Ned Freed