[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: working group last call on ISP draft



Tony,

>Correct me if I'm wrong, but as long as it refers to draft RFC's, won't it
>get rejected until those drafts become published?

You're absolutely right.  I've left the references to IDs in as long as
possible in the hope that some of them become RFCs.  Immediately prior
to Barbara's forwarding the final draft to the IESG I plan to change
these references to refer only to 'work in progress'.

>One of the sections which refers to drafts is Section 8.4 Message
>Submission, which refers to draft-gellens-submit-05.txt and
>draft-myers-smtp-auth-09.txt. This section recommends using the SUBMIT
>protocol extended by the addition of the AUTH SMTP extension. Wouldn't it be
>better to get Gellens to modify his draft so that it incorporates the AUTH
>SMTP extension, and then make our recommendation based on the new version?

Randall's recommendations for separating the submission and relaying
functions of SMTP by having them listen on different ports are valid
independent of SMTP AUTH.  SMTP AUTH is desirable on both ports, or on
port 25 if that's the only port to which a site listens.  I'm not clear 
on how far you think he should go in 'incorporating' the AUTH SMTP
extension, as I see them as very different works addressing different
issues.  However I'm sure he'll speak for himself - he's on the list.

>Based on the current text, I disagree with the statement "In this way the
>SMTP port (25) can be restricted to local delivery only." The way Gellen's
>draft is written, port 25 can still be used for traffic originating from a
>local user, as well as relay traffic. The purpose of Myers' draft is to add
>authentication to locally-originated mail so that you know who sent it,
>without affecting any other sort of port 25 traffic. In other words, Myers'
>draft is what adds a facility to enforce a security policy to either port 25
>or port 587.

I didn't think I needed to be explicit in explaining that, having
provided a mechanism for handling submission differently from relaying,
various security strategies (including but not only SMTP AUTH) can be
applied to that mechanism.  Rolling out SMTP AUTH will take time, and
for many sites migrating to SUBMIT and filtering who can connect there
will be a reasonable solution.  Other sites will perhaps deploy SMTP
AUTH first.  In either case my implication was that, in restricting the
functionality of what happens without authentication on port 25 to
relaying, that relaying can be controlled (and for example mail to 
non-local recipients can be disgarded).

Does anyone else feel this part of the draft is unclear ?

>I think section 8.4 should be rewritten as follows:
>
>    Message submission should be done through one of three mechanisms: the
>    authenticated MAIL SUBMIT protocol (port 587), the authenticated SMTP
>    protocol (port 25), or the POP3 XTND XMIT extension (port 110).

I believe that a recommendation to use XTND XMIT would cause this draft
to be rejected by the IESG, and I'd have to agree with them.  That's not
to say that there aren't a lot of sites for whom this is a reasonable
solution today.

>    The (undocumented) XTND XMIT POP3 extension which allows clients to send
>    mail through the POP3 session rather than using SMTP may also be
>    considered.  It also provides a way to support mobile users at sites
>    where open relaying is disabled, and has the benefit of an authenticated
>    connection and a better audit trail.
>
>On a separate note, I started writing an informational RFC describing the
>XTND XMIT protocol. Should I finish writing it and submit it to the group?
>That way, we can remove the "(undocumented)" from the above paragraph.

While I'm wary of recommending XTND XMIT I think that documenting it
would be a good idea, and in fact I discussed this with Harald
Alvestrand (one of the Application Area ADs) recently.  He half jokingly
suggested that 'Historic' might be a more appropriate target status :-)

Seriously, an informational draft describing it would be very welcome.
When you finish writing it you should submit it to
Internet-Drafts@ietf.org, and you should also solicit comments on the
DRUMS working group.  Though it's not within their charter to discuss
this, it's the most appropriate place.  In addition, I know that Chris
Newman and John Myers who are involved in DRUMS have strong opinions
about XTND XMIT and they would be able to give you some good feedback.

Tom.
--
Tom Killalea   (425) 649-7417    NorthWestNet
               tomk@nwnet.net