IETF Logo Mail Archive

Re: Comments on draft-freed-sieve-environment-04

Alexey Melnikov <alexey.melnikov@isode.com> Tue, 25 March 2008 10:47 UTC

Return-Path: <owner-ietf-mta-filters@mail.imc.org>
X-Original-To: ietfarch-sieve-archive-Aet6aiqu@core3.amsl.com
Delivered-To: ietfarch-sieve-archive-Aet6aiqu@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id EBDCF28C473 for <ietfarch-sieve-archive-Aet6aiqu@core3.amsl.com>; Tue, 25 Mar 2008 03:47:38 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.029
X-Spam-Level:
X-Spam-Status: No, score=-1.029 tagged_above=-999 required=5 tests=[AWL=0.578, BAYES_00=-2.599, DATE_IN_PAST_12_24=0.992]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id u305YmH9xVrj for <ietfarch-sieve-archive-Aet6aiqu@core3.amsl.com>; Tue, 25 Mar 2008 03:47:34 -0700 (PDT)
Received: from balder-227.proper.com (cl-240.ewr-01.us.sixxs.net [IPv6:2001:4830:1200:ef::2]) by core3.amsl.com (Postfix) with ESMTP id 4F8FF3A6EC9 for <sieve-archive-Aet6aiqu@ietf.org>; Tue, 25 Mar 2008 03:47:34 -0700 (PDT)
Received: from balder-227.proper.com (localhost [127.0.0.1]) by balder-227.proper.com (8.14.2/8.14.2) with ESMTP id m2PAZGRw098321 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Tue, 25 Mar 2008 03:35:16 -0700 (MST) (envelope-from owner-ietf-mta-filters@mail.imc.org)
Received: (from majordom@localhost) by balder-227.proper.com (8.14.2/8.13.5/Submit) id m2PAZGa0098320; Tue, 25 Mar 2008 03:35:16 -0700 (MST) (envelope-from owner-ietf-mta-filters@mail.imc.org)
X-Authentication-Warning: balder-227.proper.com: majordom set sender to owner-ietf-mta-filters@mail.imc.org using -f
Received: from rufus.isode.com (rufus.isode.com [62.3.217.251]) by balder-227.proper.com (8.14.2/8.14.2) with ESMTP id m2PAZDVi098310 for <ietf-mta-filters@imc.org>; Tue, 25 Mar 2008 03:35:14 -0700 (MST) (envelope-from alexey.melnikov@isode.com)
Received: from [172.16.1.99] (shiny.isode.com [62.3.217.250]) by rufus.isode.com (submission channel) via TCP with ESMTPA id <R-jVXgBh6Mda@rufus.isode.com>; Tue, 25 Mar 2008 10:35:12 +0000
Message-ID: <47E818AE.1000901@isode.com>
Date: Mon, 24 Mar 2008 21:10:06 +0000
From: Alexey Melnikov <alexey.melnikov@isode.com>
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7.12) Gecko/20050915
X-Accept-Language: en-us, en
To: Ned Freed <ned.freed@mrochek.com>
CC: Philip Guenther <guenther@sendmail.com>, ietf-mta-filters@imc.org
Subject: Re: Comments on draft-freed-sieve-environment-04
References: <alpine.BSO.1.00.0803190129540.441@vanye.mho.net> <01MSRCK0MPHS00005Q@mauve.mrochek.com>
In-Reply-To: <01MSRCK0MPHS00005Q@mauve.mrochek.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="ISO-8859-1"; format="flowed"
Content-Transfer-Encoding: 7bit
Sender: owner-ietf-mta-filters@mail.imc.org
Precedence: bulk
List-Archive: <http://www.imc.org/ietf-mta-filters/mail-archive/>
List-ID: <ietf-mta-filters.imc.org>
List-Unsubscribe: <mailto:ietf-mta-filters-request@imc.org?body=unsubscribe>

(Speaking as an individual contributor.)

Ned Freed wrote:

>> Perhaps there should be a prefix on the value that indicates the 
>> address family, or it should be formatted like the 'host'
>> part of URI?
>
>> Note that the obvious test of
>>      environment :matches "remote-ip" "*.*.*.*"
>
>> will match an IPv6 address literal if the implementation uses the
>>      x:x:x:x:x:x:d.d.d.d
>> form, such as with the IPv4 compat addresses, ala "::FFFF:1.2.3.4".
>
>> (Yes, this thought was triggered by the "IPv6-only" experiment during 
>> the
>> IETF technical plenary.)
>
> Well, I certainly hope that for any given address there's exactly one 
> way it
> will end up being represented. If that's not the case then there's a 
> major
> problem that goes far beyond this specific issue.
>
> There's also the issue of how any future sort of address should be 
> handled.
> Since RFC 2821 has already had to deal with this I think the best way 
> to handle
> it is by referring to the formats defined there. I currently have:
>
> "remote-ip"
>           => IP address of remote SMTP/LMTP/Submission client, if
>              applicable and available. IPv4, IPv6, and other types of
>              addresses are respectively represented in the formats
>              defined by the IPv4-address-literal, IPv6-address-literal,
>              and General-address-literal productions defined in
>              [RFC 2821] section 4.1.3.

As a side note, I think RFC 2821 IPv6 format sucks, because it doesn't 
match what socket functions return on various OSes. (RFC 2821 uses
"IPv6:" prefix). But it is too late to fix that. So, under the 
circumstances, your proposal is quite reasonable.

>> There probably should be a security consideration that explains that the
>> value of the "remote-host" item may be controlled by an untrusted 
>> source.
>> For example, the test
>>      environment :matches "remote-host" "*.mydomain.com"
>
>> is *not* a good way to test whether the message came from 'outside' 
>> unless
>> the implementation there's some sort of IP->host->IP consistency check
>> made.
>
> Also a good point. I have added:
>
>  The remote-host environment item defined in this specification is 
> usually
>  determined by performing a PTR DNS lookup on the client IP address. This
>  information may come from an untrusted source. For example, the test:
>
>    if environment :matches "remote-host" "*.mydomain.com" { ... }
>
>  is not a good way to test whether the message came from 'outside' becaus

typo: because

>  anyone who can create a PTR record can create one that refers to 
> whatever
>  domain they choose. 

The text looks good to me.

>> (The sendmail MTA faced the above issues some time ago for the 
>> pre-defined
>> variables it provides to its rulesets.  To quote the sendmail operations
>> guide, it defined variables as follows:
>>        ${client_addr}
>>             The  IP  address  of  the  SMTP   client.    IPv6
>>             addresses  are  tagged  with  "IPv6:"  before the
>>             address.  Defined in the SMTP server only.
>
>>        ${client_name}
>>             The host name of the SMTP client.   This  may  be
>>             the  client's  bracketed IP address in the form [
>>             nnn.nnn.nnn.nnn    ]    for    IPv4     and     [
>>             IPv6:nnnn:...:nnnn  ] for IPv6 if the client's IP
>>             address is not resolvable, or if it is resolvable
>>             but  the  IP  address  of  the  resolved hostname
>>             doesn't match the original IP  address.   Defined
>>             in    the    SMTP    server   only.    See   also
>>             ${client_resolve}.
>
> I think a simpler way to handle this is to say that the name will
> be blank if it cannot be resolved into a host name. How about:

I like that.

> "remote-host"
>           => Host name of remote SMTP/LMTP/Submission client, if
>              applicable and available. The empty string will be returned
>              if for some reason this information cannot be obtained for
>              the current client.

v2.23.0 | Report a Bug | By Email