Re: [ietf-smtp] EHLO domain validation requirement in RFC 5321

Keith Moore writes:

On 10/4/20 7:09 PM, Sam Varshavchik wrote:
Life's not fair.
Whether it's fair, or not, if someone wishes to evaluate an individual IPaddress based on its "neighborhood", a.k.a., the hosting provider, it istheir prerogative to do so. Their mail server, their rules.
As long as they're only handling their own mail, I'd agree.

It's unclear to me how they could end up handling something that's not theirown mail. Doing so would, at least, involve hijacking DNS records to repointsomeone else's mail to their own mail server. But that would fall waaaaaayout of scope, here.

Or, if someone decides to willingly outsource their evaluation to a thirdparty provider, it is their prerogative to do so as well.
Sure, though one hopes that the third party operates by published criteriathat helps the client evaluate that provider's effectiveness and sanity.

That's neither here, nor there. One can publish anything. Whether they abideby what they publish, in practice, it's a different story. But everyoneshould make their own decisions, for themselves.

To my knowledge, none of the widestly used, and most popular third party E-mail reputation services have any kind of authoritative, published manifestoabout how they go about doing what they do. Anything beyond very, verygeneral and non-specific description of what they're all about, and whattheir lofty goals are. Some are more specific than others, but nobody willactually state, for the record, exactly how they get from point A to point B.


And that has always been the way as far as I can remember.

And they are still used.

And this has been a frequent criticism from their detractors, and I suspectthat you're using this rigorous standard as an indirect way of attempting todiscredit all third party E-mail reputation services. Well, be it as it may.But this does not discredit them in my eyes. But that's only because I thinkmost of them are already discredited, for other unrelated reasons. I stoppedusing all of them, some time ago, after I concluded that things have changedsufficiently, over the years, for them to be worth anything, any more.

But I certainly have no objection to anyone else still using them. It's afree world. Who am I to tell someone who they should or should not acceptmail from, and why?

what point does this depart from common sense and into the realm of pureprejudice? ("That IP address is from across the tracks, which is a bad partof the net.")
Yes, it is prejudice. So?
At least you're willing to admit it.
See, I'm fine with penalizing operators that have clearly established badreputations through bad behavior. I'm not so fine with penalizingoperators that merely have the misfortune to have "bad IP addresses", orsend traffic from "bad neighborhoods".

You are entitled to your opinion. But you need to understand that, insofaras the operators of those mail servers go, they don't really value youropinion that much. Most of them don't even know who you are. Or who I am.They only see what's incoming on their port 25, and they will make theirdecision accordingly, and they won't really care whether someone else acrossthe world thinks of it.

There happens to be some entities who do not like the side of railroadtracks that I live in, by the way. Or, they outsource their mail filteringto third parties that carry that opinion. I never whined about how unfair itis. And it never entered my mind to complain to them as well. I recognizedthat it's their mail server, their rules. They are free to take care oftheir business, and I'm free to take care of mine, in whichever way I seefit.
The purpose of IETF (and therefore this list) is to promoteinteroperability, not to degrade it or shield those who do so.

And specifying how EHLO/HELO, MAIL FROM, RCPT TO, and DATA works, on apurely technical level – this can't be any more interoperable than italready is.

Whether or not someone accepts mail from someone else is a matter of policy,not interoperability.

Interoperability is promoted by having a rigid, unambiguous, technicalspecification for something. That spells everything out in detail. SMTP ismuch more interoperable than other mail protocols that better be leftunsaid, which had poor specs from the beginning that created manyinteroperability headaches, for decades. As far as that goes, I think thatSMTP is remarkably interoperable.

But I don't think there's anything technical in requiring any particularvalidation or non-validation criteria, or a policy, for the sender's IPaddress, or a domain, that falls outside of SMTP's strict boundaries. That'sa matter of policy, and not a technical specification, and bears norelevance on interoperability.

Yes, they may seem to be arbitrary to an outside observer. But, they musthave merit to whoever is using that spam filter. If it didn't have anymerit, then they would not be put into place, by definition.
I disagree.  I've seen lots of spam filtered for meritless reasons, I've

You concluded that it was meritless to yourself. You did not make thatconclusion for anyone else.

seen lots of examples of operators engaging in completely arbitrary behavior.

Arbitrary in your eyes. In their eyes, it's unclear how arbitrary or notarbitrary it was. You cannot know that without asking them and getting theiranswer. They may have perfectly legitimate reason for engaging in thebehavior you deemed to be arbitrary. You don't know that.

And the only ones whose opinion counts, with respect to their mail server,is them.
Emphatically disagree.

This has been alluded to before, briefly. Back in the 1990s, there was arather …vocal group who proferred the notion that mail server administratorshave no standing to control E-mail sent or received by their users. Thattheir users had some kind of a right to receive all E-mail unfettered andthat mail administrators have no right, of some sorts, to block it for anyreason.

Let's just say that the group of individuals I'm referring to – and some onthis list know exactly who they are – were not saying much different fromwhat you are saying here. … and at about this point I started describing howwell their ideas were received, what everyone thought of them and howeveryone else assessed their … faculties, but when I reread it I realizedthat this came off too negative, so I decided to delete all of that, andjust get to the bottom line:

No matter how much someone asserts to the contrary, the administrators ofmail servers will always have complete, and have the only say, as to theirmail servers' administrative policies. And there's nothing that anyone willbe able to do about it. No matter how much anyone else, you or anyone else,thinks of the merits of their work. Sorry. Write any requirement into thenext SMTP specification, that attempts to dictate policy. It won't work.

And that path leads to a thoroughly dysfunctionalmail system, in which senders cannot assure the reliable delivery of mail


This has never been the case, sorry.

E-mail, as it stands, has never been a reliable, guaranteed message deliverymedium. At most, E-mail has always been on a best-effort basis.

If it makes sense, to them, to enable EHLO domain verification (draggingthis subject matter back into the thread kicking and screaming), thenthey're going to do that no matter what verbiage remains in the successor toRFC 5321. You can take that to the bank.
Yes, people will defend their own stupidity and irresponsibility until theirdeathbeds. That doesn't mean that IETF should support it.

Well, I'm somewhat skeptical that they're looking for IETF's support onanything. And I don't really know what "IETF should support it" means inthis context. Is IETF about setting everyone's mail acceptance mailpolicies, by decree?

pgpEassTfsZiz.pgp
Description: PGP signature

_______________________________________________
ietf-smtp mailing list
ietf-smtp(_at_)ietf(_dot_)org
https://www.ietf.org/mailman/listinfo/ietf-smtp