search

ietf-wg-emailcore / emailcore

3 stars 0 forks source link

G.7.6. Requirements for domain name and/or IP address in EHLO #19

Closed ietf-svn-bot closed 2 years ago

ietf-svn-bot commented 3 years ago

keyword_SMTP owner:todd.herr@valimail.com type_defect | by alexey.melnikov@isode.com

4.1.4. Order of Commands

An SMTP server MAY verify that the domain name argument in the EHLO command actually corresponds to the IP address of the client.

Proposed change by David MacQuigg, david_macquigg@yahoo.com on 2009.01.30 06:37 -0700 to:

An SMTP server MAY verify that the domain name argument in the EHLO command has an address record matching the IP address of the client.

Issue migrated from trac:19 at 2022-01-31 12:34:53 +0000

ietf-svn-bot commented 3 years ago

@alexey.melnikov@isode.com set keywords to SMTP

ietf-svn-bot commented 3 years ago

@alexey.melnikov@isode.com changed title from Requirements for domain name and/or IP address in EHLO to G.7.6. Requirements for domain name and/or IP address in EHLO

ietf-svn-bot commented 3 years ago

@alexey.melnikov@isode.com set component to smtp

ietf-svn-bot commented 3 years ago

@vesely@tana.it commented

A radical change was proposed by Sam Varshavchik before the creation of emailcore: I think that the "MUST NOT", in there, should be, at the most, a "MAY NOT". The only situation where MUST NOT makes sense in my eyes would be someone who's already authenticated; a mail client on port 587. https://mailarchive.ietf.org/arch/msg/ietf-smtp/ABAL9xbBFTTlZ83lmU5XpyRRGPE

Emailcore was created short afterwards, and the discussion synthesized as: The wording in Section 4.1.4 needs to be changed so as to distinguish submission[*] from server to server relaying. As for the latter, there seems to be consensus on "SHOULD NOT": https://mailarchive.ietf.org/arch/msg/emailcore/rX4A8_mILuijOt3RzeSMXAq5op0

[] See also Appendix G.6.1*

ietf-svn-bot commented 3 years ago

@todd.herr@valimail.com changed status from new to assigned

ietf-svn-bot commented 3 years ago

@todd.herr@valimail.com set owner to todd.herr@valimail.com

ietf-svn-bot commented 3 years ago

@todd.herr@valimail.com commented

Will review referenced list postings before commenting further.

ietf-svn-bot commented 3 years ago

@alexey.melnikov@isode.com commented

Note that SMTP Submission is a separate RFC, so it is not currently in scope for EMAILCORE WG. But concentrating on relay case makes sense.

ietf-svn-bot commented 3 years ago

@todd.herr@valimail.com commented

Discussion at IETF 110 (https://codimd.ietf.org/notes-ietf-110-emailcore) landed on adding text to the Applicability Statement regarding how mail might be rejected if EHLO hostname doesn't resolve in DNS to IP address of SMTP client.

Current 5321 text is 

   An SMTP server MAY verify that the domain name argument in the EHLO
   command actually corresponds to the IP address of the client.
   [[CREF13: [5321bis] [[Note in draft -- proposed change to "An SMTP
   server MAY verify that the domain name argument in the EHLO command
   has an address record matching the IP address of the client." --David
   MacQuigg, david_macquigg@yahoo.com, Friday, 20090130 0637 -0700]]]]
   However, if the verification fails, the server MUST NOT refuse to
   accept a message on that basis.  Information captured in the
   verification attempt is for logging and tracing purposes.  Note that
   this prohibition applies to the matching of the parameter to its IP
   address only; see Section 7.9 for a more extensive discussion of
   rejecting incoming connections or mail messages.

Strawman for 5321bis, post IETF 110, to replace entire block above is:

   An SMTP server MAY verify that the domain name argument in the EHLO 
   command has an address record matching the IP address of the client.

Strawman for Applicability Statement:

   If the domain name argument in the EHLO command does not have an address
   record in the DNS that matches the IP address of the client, the SMTP
   server may refuse any mail from the client as part of established anti-abuse
   practice. Operational experience has demonstrated that the lack of a matching
   address record for the the domain name argument is at best an indication of
   a poorly-configured MTA, and at worst that of an abusive host.
ietf-svn-bot commented 3 years ago

@todd.herr@valimail.com changed _comment0 which not transferred by tractive

ietf-svn-bot commented 3 years ago

@todd.herr@valimail.com commented

Text to be proposed on-list.

ietf-svn-bot commented 2 years ago

@todd.herr@valimail.com commented

The "Strawman for 5321bis" text was incorporated into 5321bis-05.

Moving ticket to Applicability Statement work, and continuing discussion on-list about that part.

ietf-svn-bot commented 2 years ago

@todd.herr@valimail.com changed component from smtp to email-applicability-statement

ietf-svn-bot commented 2 years ago

@todd.herr@valimail.com commented

Still discussing on list what text to use in 5321bis.

Current suggestion is

An SMTP server MAY verify that the domain name argument in the EHLO 
command is a fully-qualified domain name. See [A/S] for further discussion.
ietf-svn-bot commented 2 years ago

@todd.herr@valimail.com changed _comment0 which not transferred by tractive

ksmurchison commented 2 years ago

The "Strawman for Applicability Statement" text was incorporated into as-03