Re: Submission identifiers

John C Klensin wrote:
> (2) We should not forget that there are full-service SMTP
> clients running on portable machines, small networks, without
> unlimited resources, and/or serving small numbers of users.
> Forcing all of those servers to be configured to use Giant
> Provider gateways to send mail would be... well, a very
> significant Internet policy change.
Away from me pushing for that! Although it may seem easier to manage 
reputation in a world with only a few providers, that would make it 
hard for each of them to manage their users' reputations. Roughly, I'd 
say there should be an optimum when the number of global ESPs more or 
less equals the number of users per single ESP.
> > The EHLO name has better be unique for tracing and debugging.
> > OTOH, it has better be "meaningful" for filtering and
> > reputation management. Do these two kind of activities somehow
> > match the scenarios implied by that split?
> Not sure.  But let me suggest an orthogonal distinction.  If one
> assumes a sender of moderate competence acting in good
> conscience and trying to make things work as well as possible,
> the EHLO name, provides useful information for tracking down and
> debugging, e.g., mail system failures, especially if it is used
> in conjunction with other information that requires the same
> assumptions.
A real example: I receive "EHLO fk-out-0910.google.com" rather than 
"EHLO gmail.com". The latter would match the DKIM domain in the body. 
The former correctly resolves to a block of 8 addresses, one of which 
is the one being used. That host does not pass SPF HELO checks. 
Google's staff certainly have more than moderate competence. Since 
they don't backscatter, they probably assume that passing SPF MAILFROM 
is enough, notwithstanding those who think SPF is better at HELO 
(doesn't break forwarding.)
Another commonly used SMTP-level check is greylisting, which also has 
troubles trying to match those fine grained FQDNs.
Curiously, it is much easier for small providers to put A records
on the domain name that is also used smoothly for other checks. Thus, 
it seems that fine grained identifiers introduce a discontinuity 
w.r.t. the provider's network size. The opposite of fact (2) above.
>    If one assumes a sender of moderate (or greater)
> competence who is a Bad Guy trying to trick a recipient system
> that doesn't want his traffic into processing and accepting it,
> then domain names, IP addresses, etc., just aren't going to be
> good enough.
That's after that prohibition in 4.1.4. I don't know _when_ it will be 
savvy to reverse it.
Since we're talking about banning HELO for relays, I suggest it may be 
a good occasion to also modify its argument slightly. As someone 
pointed out, we would need a way to verify it. For global Internet, 
that implies looking up the identifier in the DNS, in order to match 
the connecting IP address. SPF is an example of an alternative to an A 
record. I'm not trying to push SPF here, really. I'm suggesting that 
the requirement that "the argument clause contains the fully-qualified 
domain name of the SMTP client" could be relaxed by only requiring 
that the name matches the address of the client in some standard way. 
It should consistently identify all hosts of an ADMD when they connect 
to external hosts. Semantically, that is equivalent to overloading the 
Standardized-tag, that I already proposed.