Re: Last Call: 'Message Submission' to Draft Standard

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Bruce,

I'm going to try to respond to this note as a courtesy, but we
may need to agree to disagree.  The observation that a number of
implementers and ISPs/mail service vendors have chosen to adopt
the "Submit" model speaks far more loudly than either of our
opinions, at least unless we can make a strong "harmful to the
Internet" argument, which I note you haven't tried to do.
Moreover, for Draft Standard, it is not necessary to even
demonstrate usefulness or deployment --although I suggest that
Randy has documented both-- only the interoperable
implementations exist.  The latter is a fairly objective
criterion, using rules about what counts and what does not that
we have been using for many years.  If you don't like those
rules, that issue should probably be separated from 2476 and
taken, e.g., to newtrk.

More below.

--On Friday, 18 February, 2005 08:32 -0500 Bruce Lilly
<blilly@xxxxxxxxx> wrote:

>...
> One bit of uneasiness is that I'm not convinced that there
> really is something that SMTP clients can't supply which is
> vital to the message format [aside from cases of "the user
> is computer-illiterate and hasn't set the time zone" or some
> such thing]. As it stands, the items required by the message
> format which 2476 permits an MSA to alter are:
> 1. mandatory From header field
> 2. mandatory Date field

That those are the only two fields that are permitted to be
modified is a misreading of the spec.  Please note, e.g., the
sentence "Even when submitted messages are complete, local
site policy may dictate that the message text be examined or
modified in some way." from the opening section (somewhat
mis-identified as "Abstract" of 2476.   Just one example of a
handy and important case not covered by your narrow reading is
covered by the following scenario:

RFC 2821 essentially requires that the addresses in Received
fields be public ones (if that isn't clear enough, it is a
problem in 2821, not 2476).  It also encourages, but does not
require, that the SMTP-ish client on the client machine put in a
trace field, a practice that has become reasonably common since
we clarified that the "Date:" header field was expected to
reflect the composition date-time, not the queuing/sending
date-time.   Many of those organizations that are using private
address space on their LANs, or who are using public addresses
but don't want to expose their topologies, want internal client
addresses to be hidden from public view.  It is rational for a
submission server to alter trace fields other than the ones it
inserts to substitute public addresses for private one or
generic addresses for internal LAN addresses that are considered
sensitive.   A conventional SMTP server is forbidden to tamper
with earlier trace fields unless a convoluted "gateway" argument
is made for it, and we have discussed that situation already.

Similar comments could apply to a number of non-required, but
important (to someone), header fields, including just about
anything that knows or incorporates a domain name.  That list
doesn't just include standardized fields.  I, personally, don't
think 

   Virus-scan: Found to be clean, pure, and in a state of grace

doesn't pass a laugh test, at least in the absence of some
serious digital signature and trust structure action.  If such a
thing came up for standardization, I'd join the rush to make
sure there was a security considerations section that identified
all of the ways malware could invade a message after such a
statement were attached, how the statement itself could be
inserted by malware, and so on.  But people do seem to want to
put them in, they are certainly valid under the relevant specs,
and it might well make more sense to do the work in a submission
server than in an originating MUA.

Note also the discussion in section 8 of 2476.

> All other message header fields are optional [RFC 2822], and
> tampering with the SMTP envelope does not affect the message
> format content (at least not directly; at final delivery the
> SMTP envelope return path gets inserted in a Return-Path trace
> header field).

Even here, there are exceptions, some of which are explicitly
identified in 2476.  I've never been happy with the idea, but
there are many MUAs who either don't have a clue about their own
domain names or that are configured to use an abbreviated-form
domain name, or no domain name at all, on mail that is local to
the MUA's environment.    Virtually every MTA I've seen has
provision for a "default domain" to deal with this problem.  But
that situation implies that mail may leave the desktop with

    MAIL FROM:<foo>
    RCPT TO:<bar@baz>
    ...
    From: foo
    To:   bar@baz

and it is required, to meet the requirements of 2821 and 2822
(and 821 and 822) that these pairs of envelope and header fields
be altered to reflect foo@xxxxxxxxxxxxxx and
bar@xxxxxxxxxxxxxxxxxx or some other set of FQDNs.  Note that
this case is explicitly called out as a requirement in section
4.2 of 2476.

>  Now I can understand that administrators might
> like to enforce policy w.r.t. use of host names under a domain,
> etc., but that's a very different matter from "needed but can't
> be supplied" (paraphrasing). 

But your narrow reading that produces "needed but can't be
defined" is not what the spec says, or has ever said.

> If the issue is really about
> administrative fiddling with message content to centrally
> enforce policy (rather than have policy enacted at the client
> -- which certainly does not appear to be impossible), then say
> so instead of using purported client inability as a
> justification. [then we can move on to discussion of the real
> issue, ACAP, DHCP parameters and extensions, etc.]

Bruce, I personally find it extremely frustrating, both
philosophically and in terms of impact on my own work habits
that IMSP, ACAP, or some member of that family isn't widely
deployed and used.  I also find it frustrating that, while it is
possible to pass SMTP-related information to clients via DHCP,
neither the IETF nor most operating system vendors have provided
a safe, convenient, and reasonably standardized way of picking
that information up.  As has been discussed on this list before,
the number of contexts from which a mail client might want to
identify with for finding that information is also problematic.
I wish there were no incompetent MUAs, running on incompetent
operating systems out there.  And I wish that ISPs, claiming (or
perhaps believing) that it will prevent spam, have decided to
block outgoing SMTP to private servers, even when the traffic is
authenticated.   But none of those are, to me, "the real issue"
and maybe that difference in opinion is why we are disagreeing
here.   If the purpose of this discussion, of "Submit", or of
IETF in general involved designing for a next-generation
Internet, all of whose implementations were perfect and in
conformance with our preferences and biases, then the issues
above would be "the real issue".   

But, instead, I contend that the "real issues" all have to do
with making things work well, or at least better, taking
behavior of implementations in the wild as a given.  In that
"real issues in the real world" context, ACAP isn't a "real
issue", it is irrelevant because we can't seem to get it
deployed.   DHCP isn't a "real issue" in a mail client
configuration context, but is irrelevant because the mail
clients can generally not get to the information with an
acceptable level of work and security -- perhaps sometime, but
not so far.

The Message Submission protocol is designed to provide a way
around those problems, one that works in the real world, escapes
some barriers that have been erected against SMTP, and that is
less harmful than having clients use SMTP for message submission
and having the associated SMTP servers invoke the "gateway rule"
to justify just about anything.  In the real world, those are
real issues, and the Message Submission Protocol has proven to
be a useful tool.   In some idealized, fantasy, world of perfect
clients, perfect operating systems, no security treats, and a
better network-wide understanding of naming and addressing
constraints and issues, we probably wouldn't need it.  But I
don't see us living in that world, no matter how much we might
wish for it.

>...
> How to authorize message-tampering via ESMTP in 3 easy steps
> (some detail omitted):
> 1. server offers TAMPER extension in response to EHLO
> 2. client indicates acceptance of TAMPER option (separate
>    command or argument; as promised, I have omitted details :-)
>    or not, as the case may be (if the client does nothing,
>    tampering is not authorized).
> 3. server tampers if authorized; does not tamper if not
>    authorized.
> That seems almost too easy; what have I missed (aside from the
> details)?

You have missed some ease of deployment issues (it takes a long
time to get an SMTP extension accepted into clients and client
authors resist needing fallback plans when a depended-upon
extension is not offered).  You have also missed the important
fact that the server cannot tell, in this case, whether the
client purports to be an MUA or is just another MTA.  

>> "Message Submission" ("Submit" below) is 
>> obviously different: we allowed for extensions to be used with
>> Submit that are not specified for SMTP (even though no one has
>> done that -- the mechanism has been shown to work with
>> extensions that are also specified for SMTP)
> 
> I'm a bit baffled by that as I can see no ESMTP extension
> specified or referenced by RFC 2476 or the draft which does
> not also apply to SMTP.  The converse is true (but irrelevant);
> ETRN, for example, can be used with SMTP but is forbidden by
> RFC 2476 with an MSA.

That is correct.  2476 only specifies that the extension
mechanism be supported and requires support for some existing
SMTP extensions.  We couldn't very well specify extensions no
one had thought of yet and made the decision to not belabor that
point.

> It's also unclear what "mechanism" you refer to...

The [E]SMTP extension mechanism.

> It seems like the hypothetical "TAMPER" extension (if not
> permitted for non-submission SMTP) would do what is described
> above (and shortly below) as desired...

Not really, for the reasons above.  There was, however, another
model for Submit itself in which the client would specify, via a
new verb, just exactly what message-diddling services it wanted
the server to perform.   That has considerable elegance to it,
especially if one thinks of the MUA-MSA relationship as a
split-function MUA-MTA relationship rather than separate
functions.  But it was just too complicated, especially in the
presence of real-world incompetent clients.

I think maybe that is enough... I've got to get to a meeting.

best,
    john


_______________________________________________

Ietf@xxxxxxxx
https://www1.ietf.org/mailman/listinfo/ietf

[Index of Archives]     [IETF Annoucements]     [IETF]     [IP Storage]     [Yosemite News]     [Linux SCTP]     [Linux Newbies]     [Fedora Users]