Re: I-D Action:draft-klensin-rfc2821bis-10.txt

On Apr 24, 2008, at 7:30 PM, Hector Santos wrote:

> Robert A. Rosenberg wrote:
> > > Well, an explicit MX does not resolve this problem of a response  
> > > address not being reachable.
> > You said that "validdomin.com" is a valid domain so attempts to  
> > send to the no-reply address will get to the SMTP server supporting  
> > validdomin.com which will then send a "No Such User" reply (which  
> > in my book qualifies as reachable since the message to no-reply WAS  
> > delivered to the SMTP Server (but then rejected).
> My overall point, in so many words, was that mandating an MX record  
> requirement is meaningless IF the GOAL of the mandate is to thwart  
> bad guys.
Bad-actors run an overwhelming majority of SMTP clients.  If or when  
IPv6 is introduced, IP addresses will quickly become less useful in  
defending against a rising level of SMTP exploitation.  Name mismatch  
must be tolerated in reverse zone due to PTR set limitations.   
Administrative errors often found within the reverse zone and the  
added number of labels for IPv6 ensure checking reverse names will  
remain burdensome.  Names found in the reverse zone are often used  
only to make guesses about the nature of the related address.  These  
guesses are based upon inconsistent and non-standardized conventions,  
especially for classless delegations.  Within the forward zone, unlike  
address records, MX records exclusively support the SMTP service.   
Unless a domain offers clear indications of supporting SMTP by  
publishing discovery records, recipients should forgo other validation  
checks.
Some expect hosts to publish bogus MX records to "opt-out" and avoid  
what might become a significant amount of undesired traffic related to  
SMTP service, signatures, and policy validations.   Of course, an  
equitable solution would be to require valid MX records for those  
supporting SMTP and SMTP extensions, where upon not finding an MX  
record would indicate the extension is not supported.  Without at  
least an A record, SMTP itself is not supported.
Policy assertions may assist in mitigating some exploitation.  Rather  
than flooding name space with synthesized policy records, policy  
should be published in conjunction with the discovery records for the  
specific service.  While many may dismiss a concern about the  
application of policy scaling, policy tactics should be expected to  
evolve.  A means to scale policy must be established.  Policy can  
scale when published only in conjunction with explicit discovery  
records.
Clearly, what does not scale and what would be most unfair is to  
expect every host to publish bogus discovery records for all  
problematic public message exchange protocols.  It is not about  
thwarting bad guys, it is about mitigating undesired traffic for those  
not involved with the problematic protocol.
-Doug