RE: RBL-type BGP service for known rogue networks?
Shawn, I noticed that in BIND8, DNS gets _VERY_ unhappy if you use a CNAME for the zone's MX. Maybe there's something else at work.... Karyn -----Original Message----- From: Shawn McMahon [mailto:smcmahon@eiv.com] Sent: Monday, July 10, 2000 8:38 AM To: nanog@merit.edu Subject: Re: RBL-type BGP service for known rogue networks? On Mon, Jul 10, 2000 at 11:10:35AM -0400, Greg A. Woods wrote:
However I should have listed the other requirement that I thought was self-obvious since we're talking about SMTP here. I.e. I don't ever accept e-mail from anything less than the most strictly conforming SMTP implementations. You're violating part one of RFC 1123 section #5.2.5. The name given by your SMTP server in the HELO "MUST" be a canonical hostname. It must not be a CNAME.
Oh, you wanna go there? 5.2.5 HELO Command: RFC-821 Section 3.5 The sender-SMTP MUST ensure that the <domain> parameter in a HELO command is a valid principal host domain name for the client host. As a result, the receiver-SMTP will not have to perform MX resolution on this name in order to validate the HELO parameter. The HELO receiver MAY verify that the HELO parameter really corresponds to the IP address of the sender. However, the receiver MUST NOT refuse to accept a message, even if the sender's HELO command fails verification. Hmm. MUST NOT refuse. Who's violating the RFC here, again? *ANYBODY* using sendmail from a dynamic IP is either going to do this, or worse. RFC 1123 requires you to live with it. If you choose not to, don't wave the damn RFC around like a magic shield. CNAMEs are "valid principal host domain name[s]". Nothing in the RFC says it can't be a CNAME, but something in the RFC says you have to accept it even if it's flat-out wrong or a lie. Your thin ice just cracked, Greg. Admit you're wrong and get on with your life. You're not running an RFC 1123-compliant mail setup at present.
On Mon, Jul 10, 2000 at 09:06:49AM -0700, Karyn Ulriksen wrote:
I noticed that in BIND8, DNS gets _VERY_ unhappy if you use a CNAME for the zone's MX. Maybe there's something else at work....
We're not talking about MXes here. Let's be very clear. We're talking a single workstation with a dynamic IP address. eiv.com's MX points to a completely different box, by an A record, just like it's supposed to. oa.eiv.com's IP address changes periodically, and has a reverse lookup that is not under my control. *ANYBODY* running sendmail on a box with a dynamic IP is going to see this behavior, unless they play magic sed games to change their sendmail config every time their IP changes. This actually would be doable in my case, but is hardly expectable of everybody who uses a dynamic IP. And then there are those MUAs that also act as MTAs, doing their own SMTP without going through an external server. They can't all be configured to do what Greg proposes, and who in their right mind would want them to be? I've quoted the RFC. It says he MUST NOT (it's emphasis, not mine) do what he's doing, in unambiguous terms. Beyond that, I don't really care if I can email him or not. I can email the rest of the world, except for a few ORBS nuts. No loss. DNS will resolve "oa.eiv.com" to the exact IP of the box sending the email. Greg considers that to be "forging a HELO", and equates it as "very nearly fraud". You'll have to judge for yourself whether or not that's reasonable. Frankly, I don't care; I've presented the evidence, everybody can make their own choices as to whose idea is reasonable. With very few exceptions, we're all adults here.
-----BEGIN PGP SIGNED MESSAGE----- On Mon, 10 Jul 2000, Shawn McMahon wrote:
Greg considers that to be "forging a HELO", and equates it as "very nearly fraud". You'll have to judge for yourself whether or not that's reasonable.
Frankly, I don't care; I've presented the evidence, everybody can make their own choices as to whose idea is reasonable. With very few exceptions, we're all adults here.
OK folks.. Can we take a break from our regularly scheduled flamewar? It is very obvious that RLB/ORBS/et all are not issues that we can all agree on. Can we just agree not to agree and even more, can we agree NOT to piss and moan about it on NANOG? It is sad when one can read through 70 messages on the list in just under 2 seconds just holding the N key in pine and not miss a single piece of REAL operational content. PLEASE -- NO MORE! - --- John Fraizer EnterZone, Inc - -----BEGIN PGP PUBLIC KEY BLOCK----- Version: 2.6.3a mQCNAzlo9RIAAAEEAK03prYoSsHIpASXliiU7HMshrsyT9KrigEKgy/ADVB6noQS Yp5nIlCt4BIV/8oYFloZcNxoo8LDchkDM+0arJcJ9236W+r7nf+UUu8e4hJz0y73 Jq6DEkGY64qbsgF/NBy5xQGnNFyY98KcIbp62m+C5UlTa3NNjIbMmesdFkq5AAUR tClKb2huIEZyYWl6ZXIgPEpvaG4uRnJhaXplckBFbnRlclpvbmUuTmV0PokAlQMF EDlo9RKGzJnrHRZKuQEBa/oEAKiYVn+zfRSeGxA5fdK9be1DpN0ygV0UX0ghIUsg LLAb4bhhGqwXz/my1w5oLIwa4YSOvHzkPzbC0jvEEfbQXlE/bGOqpK8VlznudGy4 DV4p0eu4Ij5gWAdkWmjyI4DfjJL8nVsat9HgE0/IsYi7xwujdvwz6TQWuxmNkQyx D3aS =WdqV - -----END PGP PUBLIC KEY BLOCK----- -----BEGIN PGP SIGNATURE----- Version: 2.6.3a Charset: noconv iQCVAwUBOWn/xYbMmesdFkq5AQEeIgP/dHwg0O/8CyjdZrsLMRFd03DXL/MFHJoC FUf4eLi8Z2cOiQKCYPjL0lZtE5uLsCdGLzidgJr7RwDjIr5EPHW3+3nyQ782Y3Ou /idKJ53h5EyXpT+GGu2CPJHetX3Zo+SB90ZX9CYfJSHWjpVRZrr0gkBst2j10ikX uw2wwW9Jdvs= =dQq5 -----END PGP SIGNATURE-----
[ On Monday, July 10, 2000 at 12:36:52 (-0400), Shawn McMahon wrote: ]
Subject: Re: RBL-type BGP service for known rogue networks?
*ANYBODY* running sendmail on a box with a dynamic IP is going to see this behavior, unless they play magic sed games to change their sendmail config every time their IP changes. This actually would be doable in my case, but is hardly expectable of everybody who uses a dynamic IP.
True enough. That's why people without real Internet connections should be using their ISPs authorised outgoing SMTP relay host, and not pretending by playing silly games with DNS.
And then there are those MUAs that also act as MTAs, doing their own SMTP without going through an external server. They can't all be configured to do what Greg proposes, and who in their right mind would want them to be?
Yes, they can. And most in fact are. And they *MUST* be actually. If you're going to wave the RFC back in my face the least you can do is acknowledge that you're also violating its emphasised requirements. In degrees of violation though it's very important to understand that I can violate the second part of that rule and I only affect my own services. Your violation of the first part of that rule affects everyone your mailer might happen to contact.
DNS will resolve "oa.eiv.com" to the exact IP of the box sending the email.
No, it won't. A CNAME RR does not contain an IP number in as its value. The rules are designed in such a way as to avoid having a SMTP server waste its time chasing CNAMEs, especially when they may easily end up in a loop and have to have even more complex code to detect and handle such error conditions. If you're going to play the game you could at least learn the rules so that you know when you're in the wrong. -- Greg A. Woods +1 416 218-0098 VE3TCP <gwoods@acm.org> <robohack!woods> Planix, Inc. <woods@planix.com>; Secrets of the Weird <woods@weird.com>
participants (4)
-
John Fraizer -
Karyn Ulriksen -
Shawn McMahon -
woods@weird.com