Re: [9fans] rewriting From:

Re: [9fans] rewriting From:

[Gabriel Diaz Lopez de la Llave]

Hello,


I hope the following lines have some utility:

RFC-821 says that CNAME is supposed to be rewritten but

RFC-1123 says:

 5.2.2  Canonicalization: RFC-821 Section 3.1

  The domain names that a Sender-SMTP sends in MAIL and RCPT
  commands MUST have been  "canonicalized," i.e., they must be
  fully-qualified principal names or domain literals, not nicknames
  or domain abbreviations.  A canonicalized name either
  identifies a host directly or is an MX name; it cannot be a
  CNAME.

I take a look to rfc 2476 "message submission" and says

"
8.7.  Resolve Aliases

   The MSA MAY resolve aliases (CNAME records) for domain names, in the
   envelope and optionally in address fields of the header, subject to
   local policy.

   NOTE:  Unconditionally resolving aliases could be harmful.  For
   example, if www.example.net and ftp.example.net are both aliases for
   mail.example.net, rewriting them could lose useful information.

8.8.  Header Rewriting

   The MSA MAY rewrite local parts and/or domains, in the envelope and
   optionally in address fields of the header, according to local
   policy.  For example, a site may prefer to rewrite 'JRU' as '
   J.Random.User' in order to hide logon names, and/or to rewrite '
   squeeky.sales.example.net' as 'zyx.example.net' to hide machine names
   and make it easier to move users.

   However, only addresses, local-parts, or domains which match specific
   local MSA configuration settings should be altered.  It would be very
   dangerous for the MSA to apply data-independent rewriting rules, such
   as always deleting the first element of a domain name.  So, for
   example, a rule which strips the left-most element of the domain if
   the complete domain matches '*.foo.example.net' would be acceptable

"
On Thu, 2003-04-03 at 18:03, David Presotto wrote:
> I've noticed over the years that if the domain name in a From: address has
> a CNAME, then it gets rewritten by most sendmails.  Anyone know if there
> is an RFC that covers the subject?
>

Gabriel
-

[9fans] rewriting From:

[David Presotto]

I've noticed over the years that if the domain name in a From: address has
a CNAME, then it gets rewritten by most sendmails.  Anyone know if there
is an RFC that covers the subject?

Re: [9fans] rewriting From:

[Lyndon Nerenberg {VE6BBM}]

>I've noticed over the years that if the domain name in a From: address has
>a CNAME, then it gets rewritten by most sendmails.  Anyone know if there
>is an RFC that covers the subject?

Sendmail hasn't done this for years, and it the behaviour is not blessed
by any RFC I'm aware of. No MTA should do this sort of thing.

--lyndon

Re: [9fans] rewriting From:

[David Presotto]

[-- Attachment #1: Type: text/plain, Size: 81 bytes --]

Thanks.  It was the rfc2476 reference was what I was having a
hard time finding.

[-- Attachment #2: Type: message/rfc822, Size: 3657 bytes --]

From: Gabriel Diaz Lopez de la Llave <gabidiaz@ipsoluciones.com>
To: 9fans@cse.psu.edu
Subject: Re: [9fans] rewriting From:
Date: 03 Apr 2003 17:55:09 +0200
Message-ID: <1049385309.1074.58.camel@perro>

Hello,


I hope the following lines have some utility:

RFC-821 says that CNAME is supposed to be rewritten but

RFC-1123 says:

 5.2.2  Canonicalization: RFC-821 Section 3.1

  The domain names that a Sender-SMTP sends in MAIL and RCPT
  commands MUST have been  "canonicalized," i.e., they must be
  fully-qualified principal names or domain literals, not nicknames
  or domain abbreviations.  A canonicalized name either
  identifies a host directly or is an MX name; it cannot be a
  CNAME.

I take a look to rfc 2476 "message submission" and says

"
8.7.  Resolve Aliases

   The MSA MAY resolve aliases (CNAME records) for domain names, in the
   envelope and optionally in address fields of the header, subject to
   local policy.

   NOTE:  Unconditionally resolving aliases could be harmful.  For
   example, if www.example.net and ftp.example.net are both aliases for
   mail.example.net, rewriting them could lose useful information.

8.8.  Header Rewriting

   The MSA MAY rewrite local parts and/or domains, in the envelope and
   optionally in address fields of the header, according to local
   policy.  For example, a site may prefer to rewrite 'JRU' as '
   J.Random.User' in order to hide logon names, and/or to rewrite '
   squeeky.sales.example.net' as 'zyx.example.net' to hide machine names
   and make it easier to move users.

   However, only addresses, local-parts, or domains which match specific
   local MSA configuration settings should be altered.  It would be very
   dangerous for the MSA to apply data-independent rewriting rules, such
   as always deleting the first element of a domain name.  So, for
   example, a rule which strips the left-most element of the domain if
   the complete domain matches '*.foo.example.net' would be acceptable

"
On Thu, 2003-04-03 at 18:03, David Presotto wrote:
> I've noticed over the years that if the domain name in a From: address has
> a CNAME, then it gets rewritten by most sendmails.  Anyone know if there
> is an RFC that covers the subject?
>

Gabriel
-

Re: [9fans] rewriting From:

[Lyndon Nerenberg {VE6BBM}]

>RFC-821 says that CNAME is supposed to be rewritten but

that RFC has been replaced by RFC 2821 where that text was removed.

>I take a look to rfc 2476 "message submission" and says

>   NOTE:  Unconditionally resolving aliases could be harmful.  For
>   example, if www.example.net and ftp.example.net are both aliases for
>   mail.example.net, rewriting them could lose useful information.

And that's why RFC 2821 dropped the text about canonicalization. This
was done to accomodate the current-day practice of hosting "virtual
domains" on a single mail server.

--lyndon

Re: [9fans] rewriting From:

[Geoff Collyer]

RFCs have forbidden or discouraged use of CNAMEs for more and more
purposes.  I think they are almost useless as a result, if you follow
the letter of the law, though I haven't been able to keep up with the
barrage of RFCs.  Does anybody know in what contexts CNAMEs are still
permitted, if any?

Re: [9fans] rewriting From:

[Martin Neitzel]

DP> I've noticed over the years that if the domain name in a From: address has
DP> a CNAME, then it gets rewritten by most sendmails.  Anyone know if there
DP> is an RFC that covers the subject?

I'm too lazy to dig through the new versions (e.g. 2821) but
these venerable ones should be good enough:  rfc 821 + 1123.

RFC 821 "SMTP"
	3.7, "Domain Names":
	Whenever domain names are used in SMTP only the official names are
	used, the use of nicknames or aliases is not allowed.

RFC 1123 "Requirements for Internet Hosts" aka STD0003:
	5.2.2  Canonicalization   [...]
	The domain names that a Sender-SMTP sends in MAIL and RCPT
	commands MUST have been  "canonicalized," i.e., they must be
	fully-qualified principal names or domain literals, not
	nicknames or domain abbreviations.  A canonicalized name either
	identifies a host directly or is an MX name; it cannot be a
	CNAME.

They refer, stricly speaking, to the envelope adresses, but this is of
course tightly coupled to header addresses, too.  (Tightly enough to
warrant header rewritings as soon as possible, IMHO).

Closely related:  MXs may not point to CNAMEs, only canonical names.
(Should be in the DNS RFC.)

					Hope this helps, Martin

Re: [9fans] rewriting From:

[David Presotto]

Venerable but off the mark.  Thanks anyways.  I got a closer answer
already.  I wanted to know what gave sendmail the expectation that
it was OK to rewrite the From: in a message body of received mail.
Both 821 and 1123 apply only to the sender, and even that translation
is cautioned against in later RFC's.

The real problem is having one system act differently under many
different names, not just for mail but also http, ftp, etc.  MX's
solve the problem of different names getting handled by a single
exchanger.  However, MX's do nothing for http, ftp, etc.  CNAMEs
actually work fine for http since the original URL comes in the header
of the GET/POST requests.  Unfortunately, the CNAMEs then break
the mail exchanger since mail addresses in outgoing mail get
rewritten by some of the receivers.

However, I've also found weasel words about the CNAME's in
redirected URL's also getting rewritten so all bets are off.
I think the short of it is, CNAMEs are completely useless
at least for what I want to do.

Assinging lots of A records to a single name was also a
possibility.  Unfortunately, that wreaks havoc with
certificate algorithms that have the domain name built into
the certificate.  Ditto for email, since the some dildos
seem to rewrite the address, regardless of whether or not
its a CNAME, into one (but not always the same) A record
returned with the reverse lookup.

In the long run, I guess I'm stuck with just assigning one IP
address per name and using that.  That has the advantage of also
working for ftp and other protocols in which the server has no
idea what name was used to reach them.  It's just a friggin
waste of addresses.  Hopefully, ipv6 will come along soon...

Re: [9fans] rewriting From:

[David Presotto]

in that last message

s/lots of A records to a single name/lots of names to a single address/

Re: [9fans] rewriting From:

[Lucio De Re]

On Fri, Apr 04, 2003 at 09:01:47AM -0500, David Presotto wrote:
>
> However, I've also found weasel words about the CNAME's in
> redirected URL's also getting rewritten so all bets are off.
> I think the short of it is, CNAMEs are completely useless
> at least for what I want to do.
>
I think CNAMEs were doomed at inception.  I mean, they aren't even
CNAMEs, they are nicknames with a "canonical value".  Just the
confusion _this_ causes should be enough to frighten one off.

++L