VeriSign SMTP reject server updated

Paul Vixie vixie at vix.com
Sat Sep 20 19:47:15 UTC 2003 

mlarson at verisign.com (Matt Larson) writes:

> We are interested in feedback on the best way within the SMTP protocol
> to definitively reject mail at these servers.  One alternate option we
> are considering is rejecting the SMTP transaction by returning a 554
> response code as described in Section 3.1 of RFC 2821.  Our concern is
> if this response effectively causes most SMTP servers to bounce the
> message, which is the desired reaction.

is it?  right now there are a lot of unintended consequences and several
of them are rather painful.  for example, let's say you were using a
friend as your backup MX and he got put on domain-hold.  or in the more
common case you misspell your backup mx.  either way mail that should be
queued and then later would have been successfully delivered will bounce
at the verisign server.

>                                          We are researching common
> SMTP servers' handling of this response code; at least one popular
> server appears to requeue mail after receiving 554.  Another option is
> remaining with the more standard SMTP sequence (returning 250 in
> response to HELO/EHLO), but then returning 550 in response to MAIL
> FROM as well as RCPT TO.

no matter what you do you're turning nonfatal error conditions into fatal
ones.  i'm not sure it matters which kind of fatal condition you cause,
or the specific smtp messages you use to cause it.  either way you're in
the loop and there's no good that can come of it from an e-mail p-o-v.

before we deployed root-delegation-only here, i was also annoyed that my
e-mail tool could not tell me about misspelled domain names at "send" time
and i had to wait for the wildcard mail servers to bounce the traffic.  i
am much happier with nxdomain than i was with the wildcard.  it's just sad
that i'm going to have to move vix.com to a different parent domain name
to get that behaviour to work for me as a recipient and others as senders.

> I would welcome feedback on these options sent to me privately or the
> list; I will summarize the former.

i chose to send this to the list since some folks have been wondering if
i'm a verisign apologist lately and i believe that open debate is better
for this kind of thing.
-- 
Paul Vixie

More information about the NANOG mailing list