ietf
[Top] [All Lists]

Re: Last Call: <draft-ietf-marf-spf-reporting-08.txt> (SPF Authentication Failure Reporting using the Abuse Report Format) to Proposed Standard

2012-03-02 23:54:27
Murray S. Kucherawy wrote:
I suggest:

OLD:
   In addition to the advice in security considerations of
   [I-D.IETF-MARF-AS] the additional consderations apply to [SPF] auth
   failure reports.  If the MAIL FROM command is not the NULL return
   address, i.e., "MAIL FROM:<>", then the selected MAIL FROM address
   MUST pass [SPF] MAIL FROM checks on receipt.  The HELO/EHLO command
   SHOULD also be selected so that it will pass [SPF] HELO checks.

NEW:
        In addition to the advice in the Security Considerations section of
        [I-D.IETF-MARF-AS], these additional considerations apply to
        generation of [SPF] authentication failure reports:

        o If the return address to be used will not be the NULL return
          address, i.e., "MAIL FROM:<>", then the selected return address
          MUST be selected such that it will pass [SPF] MAIL FROM checks
          upon initial receipt.

        o If the report is passed to the Mail Submission Agent (MSA)
          using [SMTP], the HELO/EHLO command parameter SHOULD also be
          selected so that it will pass [SPF] HELO checks.

If needed, MSA is defined in RFC5598, so maybe this is another argument for adding it as an informative reference and changing to use ADMD as discussed in the other thread.

If applicable, I would like to provide the following implementation note:

MSA - what kind?

The PORT 587 kind or a Port 25 kind with a user using ESMTP AUTH?

Why?

Since use RFC6409 (formerly 4409) has a PORT 587 and ESMTP AUTH requirement which the public SMTP port does not, it was as a indicator and method to skip the strong EHLO checking requirement.

In practice this became necessary with the growth of the SOHO and home use NAT market with now Mommy and Daddy had their PCs on the home network and the MUA they used exposed the private side IP literal and the Connection IP was that of the NAT.

It was a problem for the SUBMISSION protocol with strong EHLO checking requirements.

The solution was to get the MUA (in this case Thunderbird) to offer flexibility in its MTA setting for the EHLO command and in the mean time, relaxed a port 587 connection to delay or skip any initial EHLO checking until the required ESMTP AUTH was completed.

With a public port SMTP session, the ESMTP AUTH (MSA like behavior) is not required so any EHLO checking can apply when first presented.

Thanks

--
HLS
_______________________________________________
Ietf mailing list
Ietf(_at_)ietf(_dot_)org
https://www.ietf.org/mailman/listinfo/ietf

<Prev in Thread] Current Thread [Next in Thread>