[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Rules for Rejecting Mail (was Re: Undelivered Mail Returned to Sender)

To: Eric Rescorla <ekr at rtfm.com>
Subject: Rules for Rejecting Mail (was Re: Undelivered Mail Returned to Sender)
From: Glen <glen at amsl.com>
Date: Thu, 15 May 2008 20:04:13 -0700
Cc: Working Group Chairs <wgchairs at ietf.org>, testlist at mail.ietf.org, Russ Housley <housley at vigilsec.com>, Danny McPherson <danny at tcb.net>, Bill Fenner <fenner at fenron.com>, Henrik Levkowetz <henrik at levkowetz.com>
Delivered-to: ietfarch-wgchairs-web-archive at core3.amsl.com
Delivered-to: wgchairs at core3.amsl.com
In-reply-to: <d3aa5d00805151919v52755cd6xb3323e47ff1a5f72@mail.gmail.com>
List-archive: <https://www.ietf.org/mailman/private/wgchairs>
List-help: <mailto:wgchairs-request@ietf.org?subject=help>
List-id: Working Group Chairs <wgchairs.ietf.org>
List-post: <mailto:wgchairs@ietf.org>
List-subscribe: <https://www.ietf.org/mailman/listinfo/wgchairs>, <mailto:wgchairs-request@ietf.org?subject=subscribe>
List-unsubscribe: <https://www.ietf.org/mailman/listinfo/wgchairs>, <mailto:wgchairs-request@ietf.org?subject=unsubscribe>
References: <20080515004442.D070B3934C@chlorine.colo.stayonline.net> <B5CE2A4E-628D-475F-8BED-03A1CE2386E3@cisco.com> <C0C81DFE-64E3-43D4-9AEA-217CC989F2AB@tcb.net> <d3aa5d00805151919v52755cd6xb3323e47ff1a5f72@mail.gmail.com>
Sender: wgchairs-bounces at ietf.org
User-agent: Thunderbird 2.0.0.14 (Windows/20080421)

Eric Rescorla wrote:
> Glen,
> It looks to me like mail.ietf.org is still rejecting mail from
> machines which HELO with unknown hosts:
> 450 4.7.1 <romeo2.rtfm.com>: Helo command rejected: Host not found
> EHLO nonexistent.invalid
> 450 4.7.1 <nonexistent.invalid>: Helo command rejected: Host not found
> Did I misunderstand that you were going to suppress this check? If I did,

> and the check is still extant, perhaps it's time to revisit thisdecision, or

> at least to check to see how often it's rejecting valid messages.
> -Ekr

Eric -

Essentially so.

When we did the cutover, we went over the rules the IETF wanted to use,and implemented them. Amongst those rules WERE such elements as:


A. Check that the HELO hostname has an "A" or "MX" record, defer if not.
B. Check that the client IP address maps to a name; defer if not.
C. Check that that name maps back to an IP address; defer if not.
D. Check that the name->address mapping matches the client IP; defer
if not.

These were, in essence, rules given to us by the IETF at the time.

So, when you reported your problem, I engaged members of the IETFtransition team to comment; however, because it was the weekend, andeveryone was gone, I just went in and (temporarily) removed "C" and "D"from the mix, so your mail would get through. (You had added a hostrecord, IIRC, so I didn't need to remove the other rules.)

Although this "solved" the problem for you, which was great, I couldn'tconsider the matter "resolved" at this end, because although I am the ITDirector at AMS, and the chief caretaker of the IETF servers, I don'tfeel good about just making (permanent) changes at the request of oneindividual, because there are so many conflicting views out there that Icould be caught going back and forth forever! :-) I took out those tworules temporarily to solve your problem, pending discussion andconsensus by the IETF about what "they" want, and direction from them toeither restore the missing rules, leave things as-is, or removeadditional rules.

It's all fine for me either way, I'm just here to manage the servers andsupport the IETF as best I can. But I was quite sternly lectured aboutthe need for "consensus" on things like this - and our agreement saysthat we have to take aggressive anti-spam measures - so I am stillhopeful that "the community" will engage in a decision-making process onthis point, so we can get everyone on the same page.

At this point, rules "A" and "B" are still active, "C" and "D" areremoved, and I refer this back to the leaders of the IETF to discusswhat they want, so I can implement it and make everyone happy. (As muchas that might be possible ;-) )


And as I was writing this, Danny just wrote in and said:

But it does accept ANY dotted quad IP address (address
literal):
danny at pork% tn mail.ietf.org 25
Trying 64.170.98.32...
Connected to mail.ietf.org.
Escape character is '^]'.
220 core3.amsl.com ESMTP Postfix
HELO [0.0.0.0]
250 core3.amsl.com
MAIL FROM: <glen at amsl.com>
250 2.1.0 Ok
RCPT TO: <pwe3-chairs at ietf.org>
250 2.1.5 Ok
DATA
354 End data with <CR><LF>.<CR><LF>
EAT PORK
.
250 2.0.0 Ok: queued as 96C3F28C10B
NEWS TO SPAMMERS: USE ADDRESS LITERALS!
I was dropping a ton of stuff on my personal servers because
of this and had to disable it.

Whoops! I was blocking numerics WITHOUT square brackets - I just addeda rule to block them WITH. Thanks for catching that!

BTW: we should consider at least one backup relay for ietf.org
sometime real soon, especially if the outage issues aren't
completely resolved:

I believe the outage issues are completely resolved at this point. IN aseparate email, I will describe what my conclusions are to everyone.

Meanwhile, as to the four rules at the top of the email, how shall weproceed?


Glen

Follow-Ups:
- Re: Rules for Rejecting Mail (was Re: Undelivered Mail Returned to Sender)
  - From: Eric Rescorla

Prev by Date: Re: No Outage (not at 0650Z anyway!)
Next by Date: Re: Rules for Rejecting Mail (was Re: Undelivered Mail Returned to Sender)
Previous by thread: mailing list archives
Next by thread: Re: Rules for Rejecting Mail (was Re: Undelivered Mail Returned to Sender)
Index(es):
- Date
- Thread