[Top] [All Lists]

Re: Submission identifiers

2009-01-25 10:45:22

John C Klensin wrote:
(2) We should not forget that there are full-service SMTP
clients running on portable machines, small networks, without
unlimited resources, and/or serving small numbers of users.
Forcing all of those servers to be configured to use Giant
Provider gateways to send mail would be... well, a very
significant Internet policy change.

Away from me pushing for that! Although it may seem easier to manage reputation in a world with only a few providers, that would make it hard for each of them to manage their users' reputations. Roughly, I'd say there should be an optimum when the number of global ESPs more or less equals the number of users per single ESP.

The EHLO name has better be unique for tracing and debugging.
OTOH, it has better be "meaningful" for filtering and
reputation management. Do these two kind of activities somehow
match the scenarios implied by that split?

Not sure.  But let me suggest an orthogonal distinction.  If one
assumes a sender of moderate competence acting in good
conscience and trying to make things work as well as possible,
the EHLO name, provides useful information for tracking down and
debugging, e.g., mail system failures, especially if it is used
in conjunction with other information that requires the same

A real example: I receive "EHLO" rather than "EHLO". The latter would match the DKIM domain in the body. The former correctly resolves to a block of 8 addresses, one of which is the one being used. That host does not pass SPF HELO checks. Google's staff certainly have more than moderate competence. Since they don't backscatter, they probably assume that passing SPF MAILFROM is enough, notwithstanding those who think SPF is better at HELO (doesn't break forwarding.)

Another commonly used SMTP-level check is greylisting, which also has troubles trying to match those fine grained FQDNs.

Curiously, it is much easier for small providers to put A records
on the domain name that is also used smoothly for other checks. Thus, it seems that fine grained identifiers introduce a discontinuity w.r.t. the provider's network size. The opposite of fact (2) above.

   If one assumes a sender of moderate (or greater)
competence who is a Bad Guy trying to trick a recipient system
that doesn't want his traffic into processing and accepting it,
then domain names, IP addresses, etc., just aren't going to be
good enough.

That's after that prohibition in 4.1.4. I don't know _when_ it will be savvy to reverse it.

Since we're talking about banning HELO for relays, I suggest it may be a good occasion to also modify its argument slightly. As someone pointed out, we would need a way to verify it. For global Internet, that implies looking up the identifier in the DNS, in order to match the connecting IP address. SPF is an example of an alternative to an A record. I'm not trying to push SPF here, really. I'm suggesting that the requirement that "the argument clause contains the fully-qualified domain name of the SMTP client" could be relaxed by only requiring that the name matches the address of the client in some standard way. It should consistently identify all hosts of an ADMD when they connect to external hosts. Semantically, that is equivalent to overloading the Standardized-tag, that I already proposed.

<Prev in Thread] Current Thread [Next in Thread>