headers
Peter J. Holzer | 6 May 2013 10:56
Picon
Favicon

Domain names in the presence of CNAME records

Hello everybody,

this is a somewhat theoretical topic, but it seems to come up every few
years in usenet discussions, so I'll ask for clarification/opinions.

Consider this DNS configuration:

A.example.com. CNAME M.example.com.
M.example.com. MX    10 S.example.com.
S.example.com. A     192.0.2.1

Now an MTA receives a message addressed to <user <at> A.example.com>. This
MTA is a relay system and has no special configuration with regard to
A.example.com.

RFC 5321, section 5.1 specifies how to resolve "A.example.com", so by
following the chain A.example.com -> M.example.com -> 192.0.2.1 the MTA
will end up connecting to 192.0.2.1. We now have an SMTP connection and
I will call this MTA the client and 192.0.2.1 the server.

Which address should the client use in the RCPT TO command?

1) <user <at> A.example.com>, because a relay must pass on the message
   unmodified.
2) <user <at> M.example.com>, because M.example.com is the canonical name 
   of the recipient domain.
3) Undefined behaviour. The MTA could even have rejected the message.
4) Other.

If the client sends "RCPT TO:<user <at> A.example.com>", how should the
(Continue reading)

Permalink | Reply | 7 comments |
headers
johnsonhammond2 | 27 Apr 2013 18:52
Favicon

Biggest Fake Conference in Computer Science

Biggest Fake Conference in Computer Science

We are researchers from different parts of the world and conducted a study on  
the world’s biggest bogus computer science conference WORLDCOMP 
( http://sites.google.com/site/worlddump1 ) organized by Prof. Hamid Arabnia 
from University of Georgia, USA.

We submitted a fake paper to WORLDCOMP 2011 and again (the same paper 
with a modified title) to WORLDCOMP 2012. This paper had numerous 
fundamental mistakes. Sample statements from that paper include: 

(1). Binary logic is fuzzy logic and vice versa
(2). Pascal developed fuzzy logic
(3). Object oriented languages do not exhibit any polymorphism or inheritance
(4). TCP and IP are synonyms and are part of OSI model 
(5). Distributed systems deal with only one computer
(6). Laptop is an example for a super computer
(7). Operating system is an example for computer hardware

Also, our paper did not express any conceptual meaning.  However, it 
was accepted both the times without any modifications (and without 
any reviews) and we were invited to submit the final paper and a 
payment of $500+ fee to present the paper. We decided to use the 
fee for better purposes than making Prof. Hamid Arabnia (Chairman 
of WORLDCOMP) rich. After that, we received few reminders from 
WORLDCOMP to pay the fee but we never responded. 

We MUST say that you should look at the above website if you have any thoughts 
to submit a paper to WORLDCOMP.  DBLP and other indexing agencies have stopped 
indexing WORLDCOMP’s proceedings since 2011 due to its fakeness. See
(Continue reading)

Permalink | Reply | 0 comments |
headers
Stephan Bosch | 24 Apr 2013 01:10
Picon

Seemingly unused ABNF rule in RFC 5321

Hi,

Section 4.1.2 of RFC 5321 states the following ABNF production:

  Argument       = Atom

Strangely, I cannot find where this production is referenced or used. In the preceding obsoleted RFC2821,
the situation seems identical and in RFC 821 that production didn't exist.

So, what is this used for?

Regards,

Stephan.

_______________________________________________
ietf-smtp mailing list
ietf-smtp <at> ietf.org
https://www.ietf.org/mailman/listinfo/ietf-smtp
Permalink | Reply | 0 comments |
headers
Timo Sirainen | 10 Apr 2013 23:22
Picon
Picon
Favicon

Submission DATA reply to indicate auto-save

GMail's submission server saves all the submitted mails to the sender's Sent mailbox. After this most IMAP
clients with their default configuration will again save the same mail to the Sent mailbox. I'm not sure if
GMail removes one of them as a duplicate or not. I've been considering doing a similar feature to Dovecot
(it will most likely have a proxying submission server in near future), but it would be nice to tell the SMTP
clients that this auto-saving is happening, so they could skip the IMAP APPEND part with default configuration.

Of course there are the LEMONADE extensions that are supposed to solve this same issue, and Dovecot will
support those as well, but I think it's going to take a while for clients to actually implement those.
There's likely much better chance of them implementing a small check for "oh, the mail was already saved,
I'll just skip the IMAP APPEND." Even if any clients themselves didn't implement this, it would make it
possible to implement a simple SMTP+IMAP proxy locally that catches the flag and supresses the APPEND
before it reaches the network.

So, any thoughts on creating an RFC for this functionality? I'm not familiar enough with SMTP yet to know
what would be the best design for that notification. Maybe a new extended status code? Maybe change some of
the DATA reply's text part to have a special meaning? A simple flag is enough I think, because it's
reasonable to require that both the server and client supports IMAP SPECIAL-USE to find the \Sent flagged
mailbox. Returning IMAP UIDVALIDITY+UID could help IMAP clients a bit more, but that's maybe a bit too
ugly (and not always possible).

_______________________________________________
ietf-smtp mailing list
ietf-smtp <at> ietf.org
https://www.ietf.org/mailman/listinfo/ietf-smtp
Permalink | Reply | 14 comments |
headers
Sabahattin Gucukoglu | 26 Mar 2013 17:17

Private Domain Names and the EHLO/HELO Command

Hi,

Once again I am faced with the question of what to do (as a "Dumb" SMTP 
client) when my outgoing interface has a private IP address and the name 
is locally administered.  I checked RFC 5321 and can't get a 
*definitive* answer concerning whether or not a name like 
"Computer-Name.local" or "something.lan" is actually fully-qualified or 
not; certainly it is not *publicly* resolvable, but it is resolvable 
within the environment.  My feeling is that it does not meet the 
definition of an FQDN.  I cannot determine my name with only a private 
address, and my name is likely to be meaningless if I resolve it.

So, what should I do when sending the HELO/EHLO command again?  Is it 
worthwhile providing a "What is my name?" callback (that can be 
overridden) to try and automagically detect whether or not our name is 
likely to be meaningful based on domain suffix or IP address, and if 
not, use address literal?  Or, given how some sites hate address 
literals, would it be easier and simpler to just churn out a completely 
useless "FQDN"?  (I can't really see any convincing privacy argument in 
favour of one over the other, either.)

Cheers,
Sabahattin
_______________________________________________
ietf-smtp mailing list
ietf-smtp <at> ietf.org
https://www.ietf.org/mailman/listinfo/ietf-smtp
Permalink | Reply | 10 comments |
headers
Murray S. Kucherawy | 22 Mar 2013 18:01
Picon

Authentication-Results

Colleagues,

(with apologies for the cross-posting if you get more than one copy of this)

As you may have seen already, I'm working on a revision to RFC5451.

A Proposed Standard "bis" effort always benefits from describing extant implementations.  I know about the ones I've written, and about some very public uses of it (Gmail, Yahoo, for example).  If there's anyone in this audience that knows of others, I'd love to hear about it.

Reviews of the update are also welcome:

https://datatracker.ietf.org/doc/draft-kucherawy-rfc5451bis/

Thanks,
-MSK
_______________________________________________
ietf-smtp mailing list
ietf-smtp <at> ietf.org
https://www.ietf.org/mailman/listinfo/ietf-smtp
Permalink | Reply | 1 comment |
headers
John C Klensin | 21 Mar 2013 18:12

FWD: Re: When using TLS, would randomizing the order of the EHLO response be helpful?

More from Steve...

---------- Forwarded Message ----------
Date: Thursday, March 21, 2013 12:23 -0400
From: Steven Bellovin <smb <at> cs.columbia.edu>
To: John C Klensin <klensin <at> jck.com>
Subject: Re: [ietf-smtp] When using TLS, would randomizing the
order of the EHLO response be helpful?

One last word on the RC4 issue...

See http://www.theregister.co.uk/2013/03/15/tls_broken/ and note
this:

"It's not a very practical attack in general, requiring at least
16,777,216 captured sessions, but as mentioned, attacks will
only improve in time," said Arnold Yau, lead developer at mobile
security firm Hoverkey. "I think it'd be wise for TLS
deployments to migrate away from RC4 as advised."

2^24 sessions before a few bytes are readable, per
http://www.isg.rhul.ac.uk/tls/

"Don't panic".

---------- End Forwarded Message ----------

_______________________________________________
ietf-smtp mailing list
ietf-smtp <at> ietf.org
https://www.ietf.org/mailman/listinfo/ietf-smtp
Permalink | Reply | 0 comments |
headers
Carl S. Gutekunst | 21 Mar 2013 08:47

When using TLS, would randomizing the order of the EHLO response be helpful?

This is a question for folks that actually know crypto, and also know SMTP.

A common theme of many of the recent statistical attacks on TLS (BEAST, 
Lucky 13, the ABPPS RC4 attack) has been knowing that some early part of 
the plaintext was constant. Knowing that some of the early bytes are 
limited to a range, or even fully known, was even more helpful.

On every SMTP server in the world, the first 100 to 250 bytes send by 
the server after TLS negotiation completes are both constant and known: 
they're the EHLO response. So that got me wondering if randomizing the 
EHLO response could be helpful in mitigating statistical attacks. 
Obviously the degree of "randomizing" is limited; RFC 5321 requires the 
first line to be the FQDN of the receiver, and every line will contain 
"\r\n\220-". The most I can do is randomize whole lines. But I don't 
have an intuitive feel for what might be effective in disrupting these 
statistical code-breaking techniques; hence the question.

I fully understand that fixing the vulnerabilities is much more 
important, but with RC4 in particular I'm wondering about hacks that 
might keep it a little more secure, a little bit longer.

<csg>
_______________________________________________
ietf-smtp mailing list
ietf-smtp <at> ietf.org
https://www.ietf.org/mailman/listinfo/ietf-smtp
Permalink | Reply | 8 comments |
headers
Murray S. Kucherawy | 4 Mar 2013 07:55
Picon

Re: Reject messages on backup mail exchangers when primary MX is online



On Sun, Mar 3, 2013 at 8:30 PM, Robert A. Rosenberg <hal9001 <at> panix.com> wrote:
At 07:48 -0500 on 02/27/2013, hector wrote about Re: [ietf-smtp] Reject messages on backup mail exchangers w:


Your proposal/suggestion can hurt a working system IMO.  It can't simply
assume that the first MX will be available at all times or that it will
be the first IP tried at all times.  The specs may imply the caller MUST
sort and by implication call the first IP, but it would seem odd to me
to design anything around that.  It would be so unreliable.  You can't
enforce it or guarantee that this order is persistent or consistent.

One addendum. With gray listing, with the first attempt automatically getting rejected with a Try Again status, a good queuing method should be designed to be aware that such a Try Again response COULD be a sign of Gray Listing and compensate for it. This means that if the initial attempt is made to a MX pool (ie: There is more than one MX at the lowest priority) to record which IPN was used and do the retry to it not some MX randomly selected from the MX pool. Otherwise when you end up with a different MX IPN, it may blow you off again due to Gray Listing (ie: There is no way to know if the MXs share a common list of messages that have been Gray List blown off on the first attempt so they will accept the second attempt even if it is made to a different MX or if each have their own list so you will keep getting blown off until by chance you finally connect with a MX who has already blown you off and is thus willing to accept you this time).

_______________________________________________
ietf-smtp mailing list
ietf-smtp <at> ietf.org
https://www.ietf.org/mailman/listinfo/ietf-smtp

_______________________________________________
ietf-smtp mailing list
ietf-smtp <at> ietf.org
https://www.ietf.org/mailman/listinfo/ietf-smtp
Permalink | Reply | 0 comments |
headers
Evert Mouw | 23 Feb 2013 18:57

Reject messages on backup mail exchangers when primary MX is online

Just an idea... maybe it's silly or not worth investigating, but I
thought it wouldn't hurt to ask for comments.

Thanks, Evert

# Reject messages on backup mail exchangers when primary MX is online

---

TODO:

- Cascading? Like: test all MXs with lower preference number.
- Check with [RFC 5321].
- Error messages: correct numbers? Ask for opinions.
  Negative replies can be permanent (5xx codes) or transient (4xx codes).
- Discuss in newsgroup.
- Test.
- Write RFC.

---

Author: Evert Mouw <post <at> evert.net>

History:

- 2013-02-06 first version

## Problem

Multiple incoming mail servers (Mail eXchangers; MX) may be configured
for a DNS domain. The MX with the highest priority, that is, the
*lowest* preference number, MUST be contacted ([RFC 5321]) by the
mailserver of another domain if that other mailserver wants to send mail.

The MX with the lowest priority number is therefore called the *primary*
MX. The other MXs are *backup* servers. The backup servers will be used
by the sending party if the primary MX cannot be reached for whatever
reason. In practice, reasons might, for example, be related to network
configuration errors or hardware failure.

Spammers have found that sending spam to both the primary MX and one or
multiple backup MXs often works great to increase the number of spam
messages being delivered. Often, backup MXs are less well configured to
stop SPAM. Even if they are well configured, clever spam messages might
be delivered by both the primary and the backup MXs, resulting in
multiple spam messages for a receiver.

Many mail administrators have responded by removing the backup MXs
alltogether. The added costs of more spam, electricity and maintenance
cost does not rationalize the availability of a backup MX. When the
primary MX is offline, than the mails for the domain will be queued by
the mailservers of the sending parties.

This has major drawbacks. First, it places the costs of the storage and
retries to the sending party while that party is not responsible for the
downtime of the receiving mailserver. Second, when the primary MX is
offline for too long, messages might be lost. Third, messages might be
delayed for a long time, even after the primary MX did come back online.

The proper way to address this issue is to deny the use of a backup MX
when the primary MX is online.

## Bad solutions

Some administrators run a periodic script (e.g. cronjob) on the backup
MX to test if the primary MX is online (e.g. netcat to port 25 of the
primary MX). If the primary MX is offline, they dynamically add a
firewall rule to allow incoming port 25 traffic, or they start the SMTP
daemon. Then the primary becomes online again, they block incoming 25
traffic and flush the queue and stop the SMTP daemon.

This causes "mailserver unreachable" errors on legitimately configured
mailservers when the primary MX is online but not reachable due to some
network error on the side of the sender.

It also is a bad solution for multiple-domain mail exchangers.

## One interesting solution

An alternative implementation uses the ETRN command. The primary MX
sends periodically an ETRN request to the backup MXs. The backup MXs
will only become active when they did not receive such an ETRN request
for a preconfigured period of time (e.g., 5 minutes). See the
[hMailServer discussion].

## Proposed solution

On an incoming message, a backup MX should contact the primary MX to
determine whether it is online (e.g., using HELO / EHLO). If it is
online, then the backup MX should react with an error message 551,
indicating that the sending party should try the primary MX first.

	SMTP Error 551 <domain> Try the primary MX first while it is online;
please try <primary MX>

If the sender continues trying such requests, then optionally the backup
MX should periodically blacklist the sender, e.g. by rejecting it with
an error message 550 571 indicating that the sender has too often tried
to mis-use the backup MX.

	SMTP Error 550 5.7.1 You tried me, a backup MX, too often while the
primary MX is online.

Going even further, the offender could be placed on a public blacklist
such as [SpamCop].

## Gotcha's

### The preference debate

There is a so-called [preference debate] on how a sender should react
when the primary MX is not accepting mail of is offline. Some
implementers interpret the RFCs as stating "immediately try a MX with a
higher preference number, while others interpret it as "wait some time,
and then try a MX with a higher preference number". Also, one could
interpret it as "wait some time, and then try them all again, in order".

Some mail servers will wait to try the backup MX for some time after not
being able to deliver to the primary MX. So the following sequence could
happen:

1. Sender tries to contact primary MX and fails; queues message.
- Sender waits for some time.
- Primary MX comes online again.
- Sender tries backup MX.
- Backup MX replies with 551 because the primary MX is back online.
- Sender gives up.

Of course, the sender should not give up.

Some domains use [Nolisting] (Poor Man's Greylisting) and have a dummy
primary MX. Although the claim is made that Nolisting is RFC compliant,
I suggest that it is not in the spirit of the RFCs to list a false
primary MX in the DNS *on purpose*. However, my proposal does not
conflict with Nolisting because when the backup MX tests for
connectivity with the primary MX, it will fail to connect and thus
accept incoming mails. In practice, most MXs listed as backup MX in the
Nolisting approach will behave as if they were a primary MX.

---

[RFC 5321]: http://tools.ietf.org/html/rfc5321
[preference debate]:
http://en.wikipedia.org/wiki/MX_record#The_preference_debate
[SpamCop]: http://www.spamcop.net
[Nolisting]: http://nolisting.org/
[hMailServer discussion]:
http://www.hmailserver.com/forum/viewtopic.php?f=2&t=19439
[RFC 2821]: http://www.ietf.org/rfc/rfc2821.txt
_______________________________________________
ietf-smtp mailing list
ietf-smtp <at> ietf.org
https://www.ietf.org/mailman/listinfo/ietf-smtp
Permalink | Reply | 61 comments |
headers
Pete Resnick | 28 Nov 2012 00:02

Re: [Editorial Errata Reported] RFC5322 (3400)

[Bcc'ed to ietf-smtp <at> ietf.org; please discuss over on ietf-822 <at> ietf.org.]

Folks,

The following erratum was posted for 5322. I'm inclined to reject it 
since this discussion actually took place during DRUMS (17-18 March 1998 
in a thread with a subject of "Small Clarification to msg-fmt-04" if you 
are inclined to look) and the consensus outcome as far as I could tell 
(as document editor) was that messages without a final CRLF were SMTP's 
problem. However, 5321 (and 2821) 4.1.1.4 says:

    The mail data are terminated by a line containing only a period, that
    is, the character sequence "<CRLF>.<CRLF>", where the first <CRLF> is
    actually the terminator of the previous line (see Section 4.5.2).
    This is the end of mail data indication.  The first <CRLF> of this
    terminating sequence is also the <CRLF> that ends the final line of
    the data (message text) or, if there was no mail data, ends the DATA
    command itself (the "no mail data" case does not conform to this
    specification since it would require that neither the trace header
    fields required by this specification nor the message header section
    required by RFC 5322 [4] be transmitted).  An extra <CRLF> MUST NOT
    be added, as that would cause an empty line to be added to the
    message.  The only exception to this rule would arise if the message
    body were passed to the originating SMTP-sender with a final "line"
    that did not end in <CRLF>; in that case, the originating SMTP system
    MUST either reject the message as invalid or add <CRLF> in order to
    have the receiving SMTP server recognize the "end of data" condition.

Allowing the originating SMTP system to reject the message as invalid 
seems in conflict with 5322 on this point. So my rejecting this erratum 
will simply end us up with an erratum against 5321.

I'm inclined to hear opinions.

pr

> The following errata report has been submitted for RFC5322,
> "Internet Message Format".
>
> --------------------------------------
> You may review the report below and at:
> http://www.rfc-editor.org/errata_search.php?rfc=5322&eid=3400
>
> --------------------------------------
> Type: Editorial
> Reported by: Christoph Anton Mitterer<calestyo <at> scientia.net>
>
> Section: 3.5.
>
> Original Text
> -------------
>     message         =   (fields / obs-fields)
>                         [CRLF body]
>
>     body            =   (*(*998text CRLF) *998text) / obs-body
>
>
> Corrected Text
> --------------
>     message         =   (fields / obs-fields)
>                         [CRLF body]
>
>     body            =   (*(*998text CRLF) *998text) / obs-body
>
> It is RECOMMENDED that message bodies are terminated by CRLF, though this is in principle not necessary
(this does not apply to messages consisting only of a header section, as header fields are always CRLF terminated).
>
> Note however, that when transporting messages via SMTP the last lines of message bodies MUST be
terminated by CRLF as specified int RFC 5321, section 4.1.1.4.
>
> Notes
> -----
> Hi folks.
>
> AFAIU, the definition of body allows message bodies (not header sections) that end without CRLF.
>
> RFC5321 section 4.1.1.4. however states: "The mail data are terminated by a line containing only a
period, that is, the character sequence "<CRLF>.<CRLF>", where the first<CRLF>  is actually the
terminator of the previous line".
>
> So SMTP forbids, what this RFC allows.
> I guess the SMTP RFC can't be changed here and it makes no particular sense to restrict RFC5322 on the other hand.
>
> My suggestion was to add this clarification.
>
> Perhaps a similar one should be added to RFC5321, telling that Internet Messages themselves wouldn't
need the last CRLF.
>
> Instructions:
> -------------
> This errata is currently posted as "Reported". If necessary, please
> use "Reply All" to discuss whether it should be verified or
> rejected. When a decision is reached, the verifying party (IESG)
> can log in to change the status and edit the report, if necessary.
>
> --------------------------------------
> RFC5322 (draft-resnick-2822upd-06)
> --------------------------------------
> Title               : Internet Message Format
> Publication Date    : October 2008
> Author(s)           : P. Resnick, Ed.
> Category            : DRAFT STANDARD
> Source              : IETF - NON WORKING GROUP
> Area                : N/A
> Stream              : IETF
> Verifying Party     : IESG
>    

--

-- 
Pete Resnick<http://www.qualcomm.com/~presnick/>
Qualcomm Technologies, Inc. - +1 (858)651-4478

_______________________________________________
ietf-smtp mailing list
ietf-smtp <at> ietf.org
https://www.ietf.org/mailman/listinfo/ietf-smtp
Permalink | Reply | 0 comments |

Gmane