John C Klensin wrote: >> The claimed reason for not making this change was that it >> would be too hard on some small fraction of legitimate >> senders. Three cases were presented. 1) The small office with >> a dynamically-assigned IP address. 2) The roaming laptop. >> 3) The digital camera. >> >> The solutions considered too difficult were: >> 1) Get a static IP address for the transmitter in the small >> office. 2) Relay through a transmitter with an established >> identity and reputation. 3) Authorize the entire block of >> addresses that might be dynamically assigned to the >> transmitter. 4) Use an address literal, meaning - please >> accept this session without a HELO ID. >> >> Have I missed anything? >> > > I don't think so, as long as it is clearly understood that this > does two things: > > (i) Defines a domain name argument that does not match the > public Internet address of the sender as "invalid" -- thereby > de facto preventing most SMTP clients that are using private > address space behind at NAT from sending mail -- even if that > domain name conveys accurate information about the sending > system. > > (ii) Forces people toward use of IP literals, even IP literals > in private address space (i.e., that convey little information), > when domain names might make the sender more identifiable and > more easily contacted. > > I agree with John here.
Either, everyone will useless IP literals, or this change will *force* many small businesses to use either their ISP's poor quality smarthosts, or pay extra for a decent quality smarthost (and probably push them further towards giving up email). Requiring people to have a static IP address is doomed to failure, as (a) IPv4 address space is running out, so ISPs will be pushing towards dynamic addresses, and (b) many ISPs already don't allow static IP addresses. I don't see it giving any benefit, since 'bad senders' already know SMTP/domains well enough to be able to make their mail look legitimate enough to get through a crude filter like this. (eg - A spammer could trivially create their own domain 'spammer.com' and "create" a virtual zone of 4 billion entries (one for each IP address) and the spambots will use the relevant entry from that domain as their EHLO data. Instant 'pass' of any EHLO checking based on correspondence of EHLO to IP address) IMV, arguments against SPF or DKIM pale into insignificance before the problems of this proposed change. Something like SPF can give a big benefit, while only requiring people to use an authorised submission server. This requires far more people to use a submission server, and only gives a very dubious benefit. -- Paul Smith VPOP3 - POP3/SMTP/IMAP4/Webmail Email server for Windows
