On Sun, Jun 29, 2003 at 02:55:33PM -0400, Yakov Shafranovich wrote:
At 01:21 PM 6/28/2003 -0400, Raymond S Brand wrote:
The June 24 DRIP document has a problem with the use of DNS
wildcard records. Attached is an updated DRIP document and
a diff of the important changes between the two documents.
[..]
The Designated Relays Inquiry Protocol, DRIP, is a method for domain
name owners to specify the IP addresses that are authorized to relay
mail as a domain name in the SMTP HELO and EHLO commands. The
protocol provides a method for server MTAs to reject SMTP connections
from IP addresses not authorized to use the domain name given in the
SMTP HELO and EHLO commands.
[..]
How is this proposal different from RMX proposal by Hadmut Danisch
(http://www.ietf.org/internet-drafts/draft-danisch-dns-rr-smtp-02.txt) and
the various other rDNS proposals (see Mike Rubel's page at
http://www.mikerubel.org/computers/rmx_records/).
RMX (et al) deal with the envelope from address. This proposal has
nothing to do with the envelope. It is an attempt to sanitize the
hostname specified as the HELO/EHLO when connecting to a remote
MTA.
IOW, If I connect to a remote MTA and my MTA sends the greeting
EHLO play.gamerz.net. That MTA can do a lookup of
my_ip_ad_dr._relays_._email_.play.gamerz.net and see immediately
that if it gets my.ip.ad.dr as the response, that, indeed, I am
a DRIP subscribed host. If any other host attempts to connect
and claim to be play.gamerz.net, the IPs will not match (or there
will be no record at all).
If the IPs do not match, it is a host forging my hostname. Drop
the connection like a hot potato[e]. If no record is returned at all
I can't glean anything (yet). The RECOMMENDED behaviour is to
stop dropping hostname parts...
my_ip_ad_dr._relays_._email_.gamerz.net
my_ip_ad_dr._relays_._email_.net
If either of those return a value, I can say "gamerz.net" does claim
to support DRIP records. but since play.gamerz.net was not found
that host is not authorized to send mail OUT... It should have sent
mail via the designated gamerz.net relay. And as such, I should
drop this connection.
If no records of any kind are found (even when searching the parents)
I know this domain does not subscribe to the DRIP idea. I can't
assume anything. But long(ish) term, if enough domains adopt DRIP,
MTAs might adopt a "if I can't get your DRIP records I won't talk to
you" (much like the current "if I can't resolve your reverse DNS,
I won't talk to you")
Richard "who should be working on the DRIP milter, but its too nice
outside, so is going to the pool" Rognlie
--
/ \__ | Richard Rognlie / Oracle Prophet / Gamerz.NET Lackey
\__/ \ | http://www.gamerz.net/rrognlie/ <rrognlie(_at_)gamerz(_dot_)net>
/ \__/ | The past is the future
\__/ | Nobody expects the spammish inquisition
_______________________________________________
Asrg mailing list
Asrg(_at_)ietf(_dot_)org
https://www1.ietf.org/mailman/listinfo/asrg