ietf-smtp
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: Logging port numbers

2011-06-05 01:52:16
from [Hector Santos] [Permanent Link] 

There is a different in LOGS vs RFC5322 Trace (Received) lines.
I will not want to add a non-public private port on a RFC5322 trace line that is publicly viewable. It can present undesirable security openings. 

-1

--
Sincerely

Hector Santos
http://www.santronics.com


John Levine wrote:

I see that this draft will shortly be an RFC:

http://datatracker.ietf.org/doc/draft-ietf-intarea-server-logging-recommendations/

It tells us that in the coming era of giant NATs, to do useful logging,
along with the IP address and an accurate timestamp, you also need to
log the port number.  That's technically easy enough to do, it took about
5 minutes to patch my SMTP server to log the port number, or more accurately
to get to the point where I couldn't figure out where in the Received:
line to put the port number. Here's what my Received: lines look like now:

Received: from vance3.state.gov (vance.state.gov [169.253.4.31])
  by mail1.iecc.com ([64.57.183.56])
  with ESMTP via TCP id 2467626873; 03 Jun 2011 14:34:46 -0000

Received: from cl-t108-372cl.privatedns.com 
([2607:f748:1200:fa:230:48ff:febd:a370])
  by mail6.iecc.com ([2001:470:1f07:1126::5370:616d:6d79])
  with ESMTP via TCP id 2467293036; 28 May 2011 16:18:48 -0000

One possibility would be to put them after the IP separated by a colon, e.g.

Received: from vance3.state.gov (vance.state.gov [169.253.4.31]:1234)
  by mail1.iecc.com ([64.57.183.56])
  with ESMTP via TCP id 2467626873; 03 Jun 2011 14:34:46 -0000

Received: from cl-t108-372cl.privatedns.com 
([2607:f748:1200:fa:230:48ff:febd:a370]:1234)
  by mail6.iecc.com ([2001:470:1f07:1126::5370:616d:6d79])
  with ESMTP via TCP id 2467293036; 28 May 2011 16:18:48 -0000

That has the disadvantage that RFC 5321 has a nice clear syntax
definition for a Time-stamp-line, and it doesn't include a :port after
the IP address.  I realize that there are a lot of funky Received:
lines in the world, but I would prefer not to add yet more gratuitous
funkitude.  Also, one of the more typical mistakes is to leave out the
[ ] in which case a port number on an IPv6 address could be ambiguous.

So scrutinizing page 60 of RFC 5321, I see a list of opt-info clauses
which offers Additional-Registered-Clauses.  So I propose a port
clause, like this:

Received: from vance3.state.gov (vance.state.gov [169.253.4.31])
  by mail1.iecc.com ([64.57.183.56])
  with ESMTP via TCP port 1234 id 2467626873; 03 Jun 2011 14:34:46 -0000

Received: from cl-t108-372cl.privatedns.com 
([2607:f748:1200:fa:230:48ff:febd:a370])
  by mail6.iecc.com ([2001:470:1f07:1126::5370:616d:6d79])
  with ESMTP via TCP port 1234 id 2467293036; 28 May 2011 16:18:48 -0000

There is a registry for Additional-registered-clauses, which is
currently empty, but we could fix that.  Seems reasonable?

R's,
John







--
Sincerely

Hector Santos
http://www.santronics.com
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  RE: Logging port numbers, Murray S. Kucherawy
Next by Date:  Re: Logging port numbers, John Levine
Previous by Thread:  Re: Logging port numbers, Keith Moore
Next by Thread:  Re: Logging port numbers, John C Klensin
Indexes:  [Date] [Thread] [Top] [All Lists]