Douglas Otis wrote:
Standardizing on AAAA fallback when MX resource record do not exist will
require those using IPv6-only hostnames to publish bogus MX resource
records as a means to avoid undesired traffic SMTP now generates.
Standardization on AAAA fallback is likely to attract this undesired
traffic and further abuse of SMTP. The undesired traffic can be
substantial, depending upon the nature of the spoofed email, where
creating bogus MX resource records in response should not be seen as
beneficial. This effort will increase the DNS zone sizes. Instances of
IPv6 only SMTP lacking MX records and receiving public SMTP traffic is
sure to represent a small minority of the number of hostnames in IPv6
address space.
Hi Doug,
Question.
Given a MX mandate for security purposes, I have the following questions:
(1) WHERE is the MX mandate best apply?
(A) 2821 Return Path
(B) 2822 Reply-To:
(C) 2822 From:
(D) 2822 Sender:
(E) Other
2) WHEN is the MX best utilized?
(A) Before the PAYLOAD is transmitted?
(B) After the PAYLOAD is transmitted but not accepted yet. (DATA)
(C) After the PAYLOAD is accepted with a 250 response
(D) Only when NECESSARY
Of course, if your answer to 1.A, then it best utilized at 2.A.
But I am afraid you and others are going to have a vastly different
views about where MX is used and when it is applied. Regardless of
WHERE, most will have no real choice when it can be applied. For many,
2.C is their only option. In fact, I think we might find many here say
2.D is the really the only choice since MX is only important come
response time.
What this means is that MANY of the concerns regarding IMPLICIT MX and
bounce attacks can be resolved or drastically minimized by mandating a
2.A or 2.B SMTP level design.
Of course, that is not practical.
--
Sincerely
Hector Santos, CTO
http://www.santronics.com
http://santronics.blogspot.com