Re: iesg comment re message submission in draft-ietf-grip-isp-expectations-03.txt

[Patrik Fältström <paf@swip.net>]

At 22.28 -0700 00-05-29, Randall Gellens wrote:
>However, I think removing the recommendation for the submission port 
>goes against the intent of the draft.

I was the one writing the new text, and let me try to explain the 
intention with the new text.

- Number one important issue is that people start using SMTP AUTH
- Number two is to use SMTP SUBMIT

As an ISP (which I am in my day to day job) I find that highest 
importance is that one can authenticate the user which want to do the 
submission of email through SMTP, because with the "deregulation" of 
transmission the owner of the IP network is more and more seldom the 
same party as the one running the SMTP service. So, since about 2 
years back, it has been impossible to have ip-based filtering on who 
can access the various port numbers on the service which handle SMTP. 
Only authentication helps.

We also discussed this in the IESG, and we belive that authentication 
is the most important issue (and not the other way around which it 
feels when reading the current text) because both port numbers _have_ 
to be open to the whole world.

Let's then look at your new proposed text:

>To facilitate the enforcement of security policy, message submission 
>should be done through the MAIL SUBMIT port (587) as discussed in 
>"Message Submission" [RFC2476], rather than through the SMTP port 
>(25).

The reason for the use of the MSA is today much more about 
"submission of incomplete messages" than because of security issues 
and filtering on ip numbers, because as I describe above filtering on 
ip addresses doesn't work anymore. People do move around and need to 
be able to submit messages all the time. The differentiation in port 
numbers you describe in the document only works if you can do some 
filtering -- or the services MTA and MSA can be on the same port, 25.

>In addition, message submissions should be authenticated using the 
>AUTH SMTP service extension as described in the "SMTP Service 
>Extension for Authentication" [RFC2554].   In this way the SMTP port 
>(25) can be restricted to local delivery only.

The request from the IESG is to have SMTP authentication as the 
primary thing, and then use definition of the MSA, on maybe a 
different port number, different from the MTA as a secondary thing.

>The reason for this is to be able to differentiate between local 
>delivery and relay (i.e., allow customers to send email via the 
>ISP's SMTP service to arbitrary receivers on the Internet). 
>Non-authenticated SMTP should only be allowed for local delivery.
>
>As more and more mail clients support both SMTP AUTH and the message 
>submission port (either explicitly or by configuring the SMTP port), 
>ISPs may find it useful to require that customers submit messages 
>using both the submission port and SMTP AUTH; permitting only 
>inbound mail on port 25.
>
>These measures (SMTP AUTH and the submission port) not only protect 
>the ISP from serving as a UBE injection point via third-party relay, 
>but also help in tracking accountability for message submission in 
>the case where a customer sends UBE.
>
>SMTP AUTH is preferred over IP address-based submission restrictions 
>in that it gives the ISP's customers the flexibility of being able 
>to submit mail even when not connected through the ISP's network 
>(for example, while at work), is more resistant to spoofing, and can 
>be upgraded to newer authentication mechanisms as they become 
>available. See the RFC "Anti-Spam Recommendations for SMTP MTAs" 
>[RFC 2505] for more information on this issue.

The explanation for need for SMTP auth is good.

    paf