On 25/10/2012 13:14, Martijn Grooten wrote:
Can't we do something entirely different for IPv6? Like, use domain-based
filtering by making it mandatory to DKIM-sign a message you send over IPv6
outside of your network? As long as IPv4 and IPv6 are running in parallel it
should be possible for IPv6 MTA to refuse messages that aren't DKIM-signed -
and tell the sender to retry over IPv4
Is it even possible to tell an IPv6 sender to retry over IPv4? I know
I've seen discussion about whether it should be possible, but I'm fairly
sure it wasn't at that time (I think it should be possible)
Having a 'retry over IPv4' option would help a lot, especially if we had
a mechanism to link an IPv6 and an IPv4 attempt - could be a good way of
bootstrapping an IPv6 reputation system (or whitelist). But, I'm not
sure the IETF would approve, and it may be too late anyway...
I do think that (with hindsight) IPv6 support for MTAs could have done
with more thought before it was standardised. Things like requiring DKIM
(or SPF or some new equivalent) and mechanisms to fallback to IPv4 may
have been good things to enforce in an IPv6 world so being a mandatory
part of 'SMTPv6' rather than options as we'd have to do now. MTA SMTP is
a totally different world from pretty much everything else IP because
although deployment is very widespread the actual number of legitimate
MTAs is tiny compared to the rest of the Internet connected stuff, and
SMTP is also quite vulnerable to 'legitimate attacks' unlike other
protocols (eg most spam is sent by doing everything according to the
standards, not by trying to find loopholes in it). IPv6 could have been
the place to build a 'safe new SMTP world', but that opportunity is
pretty much gone now :-(
-
Paul Smith Computer Services
Tel: 01484 855800
Vat No: GB 685 6987 53
_______________________________________________
Asrg mailing list
Asrg(_at_)irtf(_dot_)org
http://www.irtf.org/mailman/listinfo/asrg