Re: RFC 2?821 and CNAMEs
martin f krafft [EMAIL PROTECTED] writes: I can't believe DNS (or SMTP for that matter) hasn't moved along in decades... at least not since people started to understand that data redundancy (not caching!) is a bad thing. Yeah, both DNS and SMTP basically froze in stone a while back, and except for the stuff that can be done with new RRs in DNS or extensions in SMTP, really nothing changes. Too much code out there that will break if any little thing is different. There are advantages to having a mature standard, but it means that we get to live with all the mistakes and marginal decisions forever and one ends up just memorizing them. This is particularly bad in the area of SMTP because it's hard enough to write a fully compliant to every last detail SMTP agent that it's a great way of catching spamware, which is often written by incompetent programmers or in a huge hurry. So it's become quite popular to enforce every little detail of the SMTP standard, no matter how obscure, because the main Unix MTAs follow the standard in great detail and every new thing that you can find rejects a bunch of spam. For example, Stanford University rejects 80% (!!) of our incoming mail just by requiring an RFC-2821-compliant HELO. Sorry for the noise on d-devel. It's a little off-topic, but it's obscure enough stuff that affects enough people that I think it's nice to repeat it periodically. I end up answering a ton of questions like this in my day job. -- Russ Allbery ([EMAIL PROTECTED]) http://www.eyrie.org/~eagle/ -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: RFC 2?821 and CNAMEs
also sprach Ian Jackson [EMAIL PROTECTED] [2007.10.10.1059 +0100]: In particular, I have seen MTAs which would (taking your situation as a concrete example, and when relaying mail eg as a smarthost), after receiving a mail with RCPT TO:[EMAIL PROTECTED] would look lapse.madduck.net in the DNS, see it's an alias, and then decide that the right thing to do was to send to your MX RCPT TO:[EMAIL PROTECTED] (Obviously this behaviour is completely barking.) Yes, I have seen those two, namely MS Exchange. -- .''`. martin f. krafft [EMAIL PROTECTED] : :' : proud Debian developer, author, administrator, and user `. `'` http://people.debian.org/~madduck - http://debiansystem.info `- Debian - when you have better things to do than fixing systems zum christentum wird man nicht geboren, man muß dazu nur krank genug sein. - friedrich nietzsche digital_signature_gpg.asc Description: Digital signature (see http://martin-krafft.net/gpg/)
Re: RFC 2?821 and CNAMEs
martin f krafft writes (Re: RFC 2?821 and CNAMEs): Of course I can ensure that, and that's what I had a while ago: for each of my road-warriors (rw.madduck.net; 19 of them; no, not all laptops; long story), I had a separate pair of MX RRs. I sought to simplify that and created rw.madduck.net with two MX RRs and CNAMEd the 19 domain names to that, You should definitely change this, not just because my strict reading of the state of the standards forbids it, but also because the behaviour of other MTAs is not always what you want. In particular, I have seen MTAs which would (taking your situation as a concrete example, and when relaying mail eg as a smarthost), after receiving a mail with RCPT TO:[EMAIL PROTECTED] would look lapse.madduck.net in the DNS, see it's an alias, and then decide that the right thing to do was to send to your MX RCPT TO:[EMAIL PROTECTED] (Obviously this behaviour is completely barking.) Ian. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
RFC 2?821 and CNAMEs (was: seeking: Ian Jackson)
Thanks, Ian, for your reply. I don't quite agree with it though. also sprach Ian Jackson [EMAIL PROTECTED] [2007.10.09.2102 +0100]: The prevailing IETF standard for mail transmission over the Internet is STD-10 (RFC821), which says: RFC 2821 obsoletes STD-10, and says: 3.6 Domains Only resolvable, fully-qualified, domain names (FQDNs) are permitted when domain names are used in SMTP. In other words, names that can be resolved to MX RRs or A RRs (as discussed in section 5) are permitted, as are CNAME RRs whose targets can be resolved, in turn, to MX or A RRs. ^^^ Though I guess it gets interesting when we start to look at the meaning of obsoletes: Abstract This document is a self-contained specification of the basic protocol for the Internet electronic mail transport. It consolidates, updates and clarifies, but doesn't add new or change existing functionality of the following: - the original SMTP (Simple Mail Transfer Protocol) specification of RFC 821 [30], yes, one could argue. RFC2181 is helpful on this point: 10.1.1. CNAME terminology This is interesting for I really always thought it was the other way around. Now I have to adjust the way I use that word in day to day parlance. And yes, I'm afraid I agree with you - the spammers have indeed won. I regret the inconvenience. No problem; I appreciate your time and the hole you punched for me. -- .''`. martin f. krafft [EMAIL PROTECTED] : :' : proud Debian developer, author, administrator, and user `. `'` http://people.debian.org/~madduck - http://debiansystem.info `- Debian - when you have better things to do than fixing systems heuristic is computer science jargon for 'doesn't actually work.' -- charlie reiman digital_signature_gpg.asc Description: Digital signature (see http://martin-krafft.net/gpg/)
Re: RFC 2?821 and CNAMEs
martin f krafft [EMAIL PROTECTED] writes: RFC 2821 obsoletes STD-10, and says: 3.6 Domains Only resolvable, fully-qualified, domain names (FQDNs) are permitted when domain names are used in SMTP. In other words, names that can be resolved to MX RRs or A RRs (as discussed in section 5) are permitted, as are CNAME RRs whose targets can be resolved, in turn, to MX or A RRs. ^^^ Though I guess it gets interesting when we start to look at the meaning of obsoletes: As someone who was on the RFC 2821 working group and vaguely remembers this, I seem to recall that this was one of those cases where everyone was already doing this and it didn't cause interoperability problems, so RFC 2821 backed off the strength of the requirement. Note, though, that STD-10 is a Standard whereas RFC 2821 is still only a Proposed Standard. IIRC, formally the obsolete only fully applies once RFC 2821 reaches the same level in the standards process. -- Russ Allbery ([EMAIL PROTECTED]) http://www.eyrie.org/~eagle/ -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: RFC 2?821 and CNAMEs
also sprach Russ Allbery [EMAIL PROTECTED] [2007.10.09.2243 +0100]: Note, though, that STD-10 is a Standard whereas RFC 2821 is still only a Proposed Standard. IIRC, formally the obsolete only fully applies once RFC 2821 reaches the same level in the standards process. Does that mean I ought to be changing my DNS setup? -- .''`. martin f. krafft [EMAIL PROTECTED] : :' : proud Debian developer, author, administrator, and user `. `'` http://people.debian.org/~madduck - http://debiansystem.info `- Debian - when you have better things to do than fixing systems if you are walking on thin ice, you might as well dance! digital_signature_gpg.asc Description: Digital signature (see http://martin-krafft.net/gpg/)
Re: RFC 2?821 and CNAMEs
martin f krafft [EMAIL PROTECTED] writes: also sprach Russ Allbery [EMAIL PROTECTED] [2007.10.09.2243 +0100]: Note, though, that STD-10 is a Standard whereas RFC 2821 is still only a Proposed Standard. IIRC, formally the obsolete only fully applies once RFC 2821 reaches the same level in the standards process. Does that mean I ought to be changing my DNS setup? The only thing RFC 821 cares about is what hostnames you use in MAIL FROM and RCPT TO. If you can ensure that your mail setup uses the canonical name rather than the alias in the RHS of addresses in MAIL FROM, that will make the problem go away without changing your DNS. -- Russ Allbery ([EMAIL PROTECTED]) http://www.eyrie.org/~eagle/ -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: RFC 2?821 and CNAMEs
also sprach Russ Allbery [EMAIL PROTECTED] [2007.10.10.0024 +0100]: The only thing RFC 821 cares about is what hostnames you use in MAIL FROM and RCPT TO. If you can ensure that your mail setup uses the canonical name rather than the alias in the RHS of addresses in MAIL FROM, that will make the problem go away without changing your DNS. Of course I can ensure that, and that's what I had a while ago: for each of my road-warriors (rw.madduck.net; 19 of them; no, not all laptops; long story), I had a separate pair of MX RRs. I sought to simplify that and created rw.madduck.net with two MX RRs and CNAMEd the 19 domain names to that, *after* reading the RFCs and determining that it was okay (but reading RFC2821 as having obsoleted STD-010; your argument makes sense though). I'd much rather change my DNS than configure the 19 machines to use the same mail-from-domain. Thanks for this thread, which showed me that apparently this is what I have to do. I can't believe DNS (or SMTP for that matter) hasn't moved along in decades... at least not since people started to understand that data redundancy (not caching!) is a bad thing. Sorry for the noise on d-devel. -- .''`. martin f. krafft [EMAIL PROTECTED] : :' : proud Debian developer, author, administrator, and user `. `'` http://people.debian.org/~madduck - http://debiansystem.info `- Debian - when you have better things to do than fixing systems the only difference between the saint and the sinner is that every saint has a past and every sinner has a future. -- oscar wilde digital_signature_gpg.asc Description: Digital signature (see http://martin-krafft.net/gpg/)