Re: [ietf-smtp] EHLO domain validation requirement in RFC 5321
2020-09-27 10:34:16
On 9/27/20 11:04 AM, John R Levine wrote:
On Sun, 27 Sep 2020, Keith Moore wrote:
For example, should the standard insist that client SMTPs have and
use an outgoing IPv4-capable interface any time the server SMTP is
reached (directly or indirectly) via IPv4? Or should client SMTPs
be forced to use IPv6-to-IPv4 SMTP relays rather than NAT64?
Should we have to keep maintaining a public IPv4 network indefinitely
(or at least until IPv6 is globally ubiquitous)?
To me NAT64 seems like an essential tool for transitioning to IPv6
and one quite often chosen by carriers, and I don't see the benefit
in adding complexity to the SMTP signal chain (with the consequent
degradation of reliability) just to preserve this rule.
This seems backward to me. Keeping in mind that upwards of 90% of all
mail is spam, and reliable spam signals are valuable, we know from
experience that real mail servers have static addresses and matching
forrward and reverse DNS.
I would say instead that because some subset of inbound MTAs do EHLO
verification, "real mail servers" (i.e. those which manage to continue
to deliver mail with some reliability) are forced to have static IPv4
source addresses for which PTR lookup results match EHLO arguments.
In other words, "real mail servers" (i.e. client SMTPs that manage to
deliver mail with some reliability) are forced to jump through arbitrary
hoops in order to overcome SMTP servers' arbitrary restrictions.
Anything that comes from a dynamic or NAT pool is invariably spam from
a botnet.
No, because nobody is looking that closely. It's basically just
prejudice that assumes that "legitimate" senders have static IP
addresses, delegation of the corresponding zone in in-addr.arpa, and the
knowledge to populate the PTR records. Or to put it differently - it's
prejudice that assumes that the only people who should be able to send
mail are those with the resources to arrange for all of that. (Which,
given the shortage of IPv4 addresses, is getting more and more difficult
to do.)
And the prejudice (like many kinds of prejudice) becomes
self-fulfilling, because those who don't have the resources to do those
things fail at their businesses, while those who don't necessarily care
about delivering mail reliably (spammers, botnets) but only care about
being able to deliver mail in significant volume, aren't eliminated.
It's exactly the same thing as a belief that "/those/ people don't drive
nice cars and live in nice neighborhoods, so clearly they're doing
something sketchy and should be treated with suspicion", which then
causes those people to be marginalized and can force some of them to
resort to sketchy means of making a living.
So yeah, I'm not a big fan of this kind of mechanism even if it seems to
work under current conditions. I certainly don't think it belongs in
a stable protocol specification, because it relies on conditions that
can and should change over time.
Small mail servers send and receive on the same address, so if they're
going to work on IPv4 at all, they need a static v4 address. Large
providers do NAT64 for their customers, but that's not where they put
their mail servers (or any servers that need an A record.) They have
a chunk of static v4 space for that, and that's where they put their
outgoing mail hosts, too.
We need to give some thought to how this works across a transition away
from a ubiquitous public IPv4 Internet, to an Internet that is a mixture
of IPv4 and IPv6 (where not all parties have IPv4 access) and tied
together by NATs of various kinds and interception proxies, and
subsequently to an Internet in which IPv6 is ubiquitous and IPv4 is the
rare exception.
To me it appears that EHLO argument verification imposes unreasonable
constraints on enterprise networks, mail providers, and network
operators which have nothing to do with the legitimacy of their content.
Also remember that mail hosts don't need a lot of address space. I've
seen estimates of the total number of SMTP hosts in the 100,000 range.
Fair, but why should we need to retain _any_ semblance of a public IPv4
Internet just so mail can be delivered reliably as the Internet
transitions to IPv6? Or alternatively, why should there need to be a
flag day at which SMTP servers have to turn off EHLO verification?
Keith
_______________________________________________
ietf-smtp mailing list
ietf-smtp(_at_)ietf(_dot_)org
https://www.ietf.org/mailman/listinfo/ietf-smtp
|
|