ietf-smtp
[Top] [All Lists]

Re: [ietf-smtp] Followup to your reply on the IETF-SMTP mailing list

2021-05-25 05:40:31
On 24 May 2021, at 12:43, Alessandro Vesely <vesely(_at_)tana(_dot_)it> wrote:
As the discussion is fully non-personal, I think you don't mind if I CC the 
list.

No, I don’t mind, but as a result, we still broke the conversation threading. 
It would be nice if mailarchive.ietf.org offered a “Download message” option 
next to the “Show header” option. This would have made it straightforward to 
import your message into my mailbox.

One thing is the definition of /email service provider/.  The wikipedia 
article
you link to is correctly named /Mailbox provider/.  A number of people 
consider
ESPs a different kind of business.  Others, especially foreigners, don't 
grok that.
I don’t like the term “mailbox provider” because these companies provide 
much more than just a mailbox, namely email submission and delivery, spam 
prevention, and message filtering with Sieve or some other interface. For 
me, email service provider is a suitable equivalent to Internet service 
provider (ISP). Do you think of Mailgun, SendGrid, Postmark, etc. when you 
hear “email service provider”? I called them SMTP service providers or email 
delivery vendors in the box about reputation 
(https://explained-from-first-principles.com/email/#reputation).


Hm... /email delivery vendor/ sounds interesting.  Unfortunately, ESP is well 
established already (among the people who knows what that is).

Mailbox provider was told me by JD Falk when I was caught in the same trap:
https://web.archive.org/web/20100613121358/http://mipassoc.org/pipermail/abuse-feedback-report/2009q3/000360.html

Even if MPs offer many more services, mailboxes are associated with email 
addresses, which are the most noteworthy elements of visibility.

An alternative name is MSP (without 'E'), defined in email arch. as:

  Transit:    Mail Service Providers (MSPs) that offer value-added
              capabilities for Edge ADMDs, such as aggregation and
              filtering.

Thank you for the additional context. Personally, I strongly object to the idea 
that mail service provider (MSP) and email service provider (ESP) can stand for 
different things. In the context of email, mail and email are used 
interchangeably. But there is also another reason why I don’t like the term 
“mailbox provider”: The term “mailbox” is used to refer to both an email 
account, which is identified by an email address, and a message folder in such 
an account, as defined by the IMAP standard. While I use the term only in the 
former meaning, some mail clients such as Apple Mail use the latter. Moreover, 
the term “email service provider” is too generic to refer only to transaction 
emails and bulk mailings, in my opinion. I will add a note about the different 
usages to my article, though.

I didn't see the topic of remote code execution in your article.  However, 
Javascript can be embedded inside html pages, where browsers normally execute 
it.  I hope email clients don't, but I don't recall feature statements in 
this regard.

I wrote in https://explained-from-first-principles.com/email/#html-emails 
<https://explained-from-first-principles.com/email/#html-emails>: “For security 
reasons, mail clients don’t execute sender-provided JavaScript.”

However, some email service/mailbox providers support dynamic content with a 
whitelisted JavaScript framework: 
https://explained-from-first-principles.com/email/#dynamic-content 
<https://explained-from-first-principles.com/email/#dynamic-content>

A recursive resolver doesn't have to be DNSSEC aware.  A client issues a call 
and looks for a TXT RR in the response.  A fussy client has to explicitly 
look for CNAME records in order to increase the count when it finds them.  
IMHO, it makes no sense.  Resolving implies additional calls issued by the 
resolver to navigate any involved zone cut, and these are certainly not 
counted.

You make a good point here. I still think this aspect should be clarified in 
the standard so that an SPF record with CNAME indirections and 10 lookups is 
either valid for all clients or none of them.

And the beauty of TLSA records is that the MX operator maintains them. All I
have to do as a domain owner is to deploy/enable DNSSEC on my domain.

You're right.  I assumed the TLSA record was not a CNAME.  I guess you mean:

_25._tcp.my-domain.example. IN CNAME _25._tcp.MX-operator.example.

No, I meant that DANE-aware ESMTP clients first resolve the MX indirection and 
look for TLSA records on the “target/MX” domain.
_______________________________________________
ietf-smtp mailing list
ietf-smtp(_at_)ietf(_dot_)org
https://www.ietf.org/mailman/listinfo/ietf-smtp