Re: seeking: Ian Jackson
On Wed, 10 Oct 2007 22:42:35 +0200, Florian Weimer wrote: [...] Internet mail addresses (which are passed to /usr/sbin/sendmail, for instance) must be canonicalized before they are used in SMTP. At least that's the theory; Exim doesn't do it. And apparently on purpose: Exim deliberately doesn't do this. We had no end of trouble in the days before I wrote Exim with other MTAs that made dreadful messes in this area, so I stayed well clear. Although, as usual, it can be forced to if need be. http://bugs.debian.org/75933 -- Michał Politowski Talking has been known to lead to communication if practiced carelessly. signature.asc Description: Digital signature
Re: seeking: Ian Jackson
RFC 1123 contains this requirement: 5.2.2 Canonicalization: RFC-821 Section 3.1 The domain names that a Sender-SMTP sends in MAIL and RCPT commands MUST have been canonicalized, i.e., they must be fully-qualified principal names or domain literals, not nicknames or domain abbreviations. A canonicalized name either identifies a host directly or is an MX name; it cannot be a CNAME. This means that it's fine to use domains pointing to CNAMEs in Internet mail. It does not matter if RFC 821 requires canonical names in RCPT or MAIL arguments because it's the job of the sending to apply canonicalization to comply with this requirement. But it's generally wrong to expect that RFCs reflect what's being done on the Internet. Current state of affairs is that hardly anybody implements that rule from RFC 1123 correctly. Sendmail applies it to headers as well, which is simply wrong. Exim doesn't implement it at all. I don't know about Postfix. Some MTAs (like Ian's) enforce that RCPT/MAIL arguments are in fact canonical names, decreasing email reachability. There aren't that many MTAs which do that (and I think it's a questionable configuration choice), and the only reasonable way around that is not to use non-canonical domains in email addresses. The MX-to-CNAME and CNAME-to-CNAME issues are unrelated. CNAME-to-CNAME works in the sense that clients which can cope with a single CNAME indirection correctly implement CNAME chasing, provided that chain is not too long to cause the DNS response not to fit into a 512 byte packet. (This has been emprically demonstrated by Akamai and others.) Some MTAs bounce mail targeted at MX-to-CNAME domains (IIRC, smail contains a configuration option to do this), so you should generally avoid this to avoid email reachability issues. And NS-to-CNAME doesn't work at all, BTW. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: seeking: Ian Jackson
also sprach Florian Weimer [EMAIL PROTECTED] [2007.10.10.1145 +0100]: RFC 1123 contains this requirement: 5.2.2 Canonicalization: RFC-821 Section 3.1 The domain names that a Sender-SMTP sends in MAIL and RCPT commands MUST have been canonicalized, i.e., they must be fully-qualified principal names or domain literals, not nicknames or domain abbreviations. A canonicalized name either identifies a host directly or is an MX name; it cannot be a CNAME. This means that it's fine to use domains pointing to CNAMEs in Internet mail. I think it says exactly the opposite, don't you? -- .''`. martin f. krafft [EMAIL PROTECTED] : :' : proud Debian developer, author, administrator, and user `. `'` http://people.debian.org/~madduck - http://debiansystem.info `- Debian - when you have better things to do than fixing systems if loving linux is wrong, i don't want to be right. digital_signature_gpg.asc Description: Digital signature (see http://martin-krafft.net/gpg/)
Re: seeking: Ian Jackson
* martin f. krafft: also sprach Florian Weimer [EMAIL PROTECTED] [2007.10.10.1145 +0100]: RFC 1123 contains this requirement: 5.2.2 Canonicalization: RFC-821 Section 3.1 The domain names that a Sender-SMTP sends in MAIL and RCPT commands MUST have been canonicalized, i.e., they must be fully-qualified principal names or domain literals, not nicknames or domain abbreviations. A canonicalized name either identifies a host directly or is an MX name; it cannot be a CNAME. This means that it's fine to use domains pointing to CNAMEs in Internet mail. I think it says exactly the opposite, don't you? There's a difference between Internet mail and SMTP. Internet mail addresses (which are passed to /usr/sbin/sendmail, for instance) must be canonicalized before they are used in SMTP. At least that's the theory; Exim doesn't do it. Is this still unclear? I don't really know how to explain this more clearly. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: seeking: Ian Jackson
also sprach Martin Zobel-Helas [EMAIL PROTECTED] [2007.10.09.2026 +0100]: how about sending mails from master.debian.org with either [EMAIL PROTECTED] or [EMAIL PROTECTED] :) I couldn't sign those messages. But I could temporarily set mutt's $envelope_from_address. Thanks for the hint. -- .''`. martin f. krafft [EMAIL PROTECTED] : :' : proud Debian developer, author, administrator, and user `. `'` http://people.debian.org/~madduck - http://debiansystem.info `- Debian - when you have better things to do than fixing systems the human brain is like an enormous fish -- it is flat and slimy and has gills through which it can see. -- monty python digital_signature_gpg.asc Description: Digital signature (see http://martin-krafft.net/gpg/)
Re: seeking: Ian Jackson
martin f krafft writes (seeking: Ian Jackson): In the mean time, I'd be grateful if Ian gave me a means to communicate with him. Or if someone would offer to relay a message to him. A few people have drawn my attention to this thread, thanks. For future reference, my db.debian.org entry ought to have my phone number in it and I think it's fine to use that when email fails. I've added a hole in my filter for *.madduck.net so martin should be able to email me now. Yes, lapse.madduck.net is a CNAME (*c*anonical *name*) to an MX RR, and that's RFC-compliant ttbomk. If it is not, I would appreciate if someone shoved the relevant sections into my face. The prevailing IETF standard for mail transmission over the Internet is STD-10 (RFC821), which says: 3.7. DOMAINS ... Whenever domain names are used in SMTP only the official names are used, the use of nicknames or aliases is not allowed. CNAME in CNAME RR means the lhs domain is an alias; the canonical name is as follows. So lapse.madduck.net. CNAME rw.madduck.net. means lapse.madduck.net's canonical name is rw.madduck.net ie that lapse.madduck.net is _not_ a canonical name but an alias. RFC2181 is helpful on this point: 10.1.1. CNAME terminology It has been traditional to refer to the label of a CNAME record as a CNAME. This is unfortunate, as CNAME is an abbreviation of canonical name, and the label of a CNAME record is most certainly not a canonical name. It is, however, an entrenched usage. Care must therefore be taken to be very clear whether the label, or the value (the canonical name) of a CNAME resource record is intended. In this document, the label of a CNAME resource record will always be referred to as an alias. If you have a suggestion for improving the error message I'd be happy to hear it - but preferably not anything much longer than the existing message DNS alias found where canonical name wanted which is already rather on the long side. The spammers have long won if people put such boulders in the way of communication. Oh wait, I doubt spammers use CNAMEs... Statistics for this cause of rejection for last week: -chiark:~ grep 'DNS alias found where canonical name wanted' /var/log/sauce/reject.log.0 | wc -l 19893 -chiark:~ This includes attempts which would also have been rejected for some other reason, but it gives an idea of the prevalence. And yes, I'm afraid I agree with you - the spammers have indeed won. I regret the inconvenience. Regards, Ian. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
RFC 2?821 and CNAMEs (was: seeking: Ian Jackson)
Thanks, Ian, for your reply. I don't quite agree with it though. also sprach Ian Jackson [EMAIL PROTECTED] [2007.10.09.2102 +0100]: The prevailing IETF standard for mail transmission over the Internet is STD-10 (RFC821), which says: RFC 2821 obsoletes STD-10, and says: 3.6 Domains Only resolvable, fully-qualified, domain names (FQDNs) are permitted when domain names are used in SMTP. In other words, names that can be resolved to MX RRs or A RRs (as discussed in section 5) are permitted, as are CNAME RRs whose targets can be resolved, in turn, to MX or A RRs. ^^^ Though I guess it gets interesting when we start to look at the meaning of obsoletes: Abstract This document is a self-contained specification of the basic protocol for the Internet electronic mail transport. It consolidates, updates and clarifies, but doesn't add new or change existing functionality of the following: - the original SMTP (Simple Mail Transfer Protocol) specification of RFC 821 [30], yes, one could argue. RFC2181 is helpful on this point: 10.1.1. CNAME terminology This is interesting for I really always thought it was the other way around. Now I have to adjust the way I use that word in day to day parlance. And yes, I'm afraid I agree with you - the spammers have indeed won. I regret the inconvenience. No problem; I appreciate your time and the hole you punched for me. -- .''`. martin f. krafft [EMAIL PROTECTED] : :' : proud Debian developer, author, administrator, and user `. `'` http://people.debian.org/~madduck - http://debiansystem.info `- Debian - when you have better things to do than fixing systems heuristic is computer science jargon for 'doesn't actually work.' -- charlie reiman digital_signature_gpg.asc Description: Digital signature (see http://martin-krafft.net/gpg/)
Re: seeking: Ian Jackson
Hello martin, martin f krafft [EMAIL PROTECTED] wrote: also sprach Martin Zobel-Helas [EMAIL PROTECTED] [2007.10.09.2026 +0100]: how about sending mails from master.debian.org with either [EMAIL PROTECTED] or [EMAIL PROTECTED] :) I couldn't sign those messages. Give mutt a new sendmail: set sendmail=/usr/bin/ssh debian /usr/sbin/sendmail -oem -oi Bye, Jörg. -- Real programmers don't comment their code. It was hard to write, it should be hard to understand. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]