nanog mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Email peering

From: "Alexei Roudnev" <alex () relcom net>
Date: Sun, 19 Jun 2005 10:36:22 -0700

My e-mail is alex () relcom net, but I send it when I am on DSL with EthLink
(and thru Earthlink SMTP). And it is 100% valid situation.


----- Original Message ----- 
From: "John Levine" <johnl () iecc com>
To: <nanog () nanog org>
Cc: <mleber () he net>
Sent: Saturday, June 18, 2005 12:25 AM
Subject: Re: Email peering





In between the choice of accepting mail from *anybody* by default
which we have now and the choice of accepting mail from *nobody* by
default that explicit peering agreements represents there is another
solution; which is to accept mail only from IPs that have *some
relation* to the sender's From domain, for example by MX record or by
reverse DNS (we implemented that test and call it MX+).


This has the same problem as all of the other duct tape authorization
schemes -- it breaks a lot of valid e-mail, so that you have to
maintain a painfully large manual exception table, or write off a lot
of mail that your users will not forgive you for losing, or more
likely, both.

In this particular case, the biggest issue is forwarders, commercial
ones like pobox.com, associations like the ACM and IEEE (I get some
odd mail being uucp at computer.org), and large numbers of colleges
and universities which let graduates keep their email address.  In all
of those cases, the users send mail from their own ISPs, whatever they
are, inbound mail is forwarded back to the ISP accounts, and there is
no way to enumerate the valid sources of mail.

There's also plenty of domains where the inbound and outbound mail
servers are different, and neither one matches the domain name of the
mail.  For example, I host about 300 small mail domains on a pop
toaster here.  The MX is mail2.iecc.com, and the outbound host that
many but not all of them use is xuxa.iecc.com.  (Mail for iecc.com
itself is on another host.)  The IPs all happen to be in the same /24,
but guessing whether two IPs are "close enough" is a poor way to
authenticate or authorize anything.

Before you point out that they could change the way those systems work
to be compatible with your scheme, well, duh, sure.  But if you're
going to make people change their existing working mail setups,
there's little point in going through the vast cost of a widespread
change for such a marginal benefit.  Read archives of SPF mailing
lists for endless flamage on this topic, since SPF has the same
problem.

Regards,
John Levine, johnl () iecc com, Primary Perpetrator of "The Internet for

Dummies",

Information Superhighwayman wanna-be, http://www.johnlevine.com, Mayor
"A book is a sneeze." - E.B. White, on the writing of Charlotte's Web
Previous By Date Next
Previous By Thread Next

Current thread: