| 1 |
On 8/18/20 4:36 PM, Grant Taylor wrote: |
| 2 |
> On 8/18/20 5:59 AM, Caveman Al Toraboran wrote: |
| 3 |
>> redundant as in containing concepts already done in other protocols, |
| 4 |
>> so smtp has many re-invented wheels that are already invented in |
| 5 |
>> existing protocols. |
| 6 |
> |
| 7 |
> Please elaborate.� Please be careful to provide information about /when/ |
| 8 |
> the protocols that SMTP is supposedly redundant of were developed. |
| 9 |
> |
| 10 |
> I suspect that you will quickly find that SMTP predates the protocols |
| 11 |
> that you are stating it's redundant of.� I further suspect that you will |
| 12 |
> find that SMTP predates them by 10, or more likely 20, if not 30 years. |
| 13 |
> |
| 14 |
> Here's a hint.� SMTP was ~82.� HTTP (1.0) was ~89.� We couldn't post |
| 15 |
> thing in HTTP 1.0.� HTTP 2.0 was ~15. |
| 16 |
> |
| 17 |
>> basically smtp, as an application-layer protocol, is needless. |
| 18 |
> |
| 19 |
> We are all entitled to our own opinion. |
| 20 |
> |
| 21 |
>> imo, smtp should be a much-higher level protocol defined purely on top |
| 22 |
>> of how dns and http/2. |
| 23 |
> |
| 24 |
> How do you get any higher layer than the application layer? |
| 25 |
> |
| 26 |
>> e.g. for mail submission, there is no need for a separate |
| 27 |
>> application-layer protocol as we can simply use http/2.� because the |
| 28 |
>> concept of mail submission is a special case of data submission, which |
| 29 |
>> is already in http/2. |
| 30 |
> |
| 31 |
> HTTP /now/ has a way to submit data.� HTTP didn't exist when SMTP was |
| 32 |
> developed.� Further, HTTP didn't have the ability to submit data for a |
| 33 |
> while. |
| 34 |
> |
| 35 |
> If you look at multiple layers of the network stack, HTTP and SMTP are |
| 36 |
> both at the application layer.� Now you are suggesting moving equal |
| 37 |
> peers so that mail is subservient of / dependent on web? |
| 38 |
> |
| 39 |
> Does HTTP or the web servers have the ability to queue messages to send |
| 40 |
> between systems?� How many web servers handle routing of incoming |
| 41 |
> messages to send to other servers?� How dynamic is this web server |
| 42 |
> configuration to allow servers for two people who have never exchanged |
| 43 |
> email to do so? |
| 44 |
> |
| 45 |
> This routing, queuing, and many more features are baked into the email |
| 46 |
> ecosystem.� Features that I find decidedly lacking in the web ecosystem. |
| 47 |
> |
| 48 |
>> here is a more complete example of what i mean: |
| 49 |
>> |
| 50 |
>> 1. we lookup MX records to identify smtp servers to submit mails to. |
| 51 |
>> 2. from the response to that lookup we get a domain name, say, |
| 52 |
>> mail.dom.com. |
| 53 |
> |
| 54 |
> #1 and 2 are par for what we have today.� No improvement. |
| 55 |
> |
| 56 |
>> 3. then, the standard defines a http/2 request format to submit the mail. |
| 57 |
> |
| 58 |
> Given how things never die on the Internet, you're going to need both |
| 59 |
> SMTP /and/ HTTP /on/ /the/ /email/ /server/ to be able to send & receive |
| 60 |
> email with people on the Internet. |
| 61 |
> |
| 62 |
> So you now have a HUGE net negative in that you have the existing |
| 63 |
> service plus a new service.� You're in many ways doubling the exposure |
| 64 |
> and security risk of email servers. |
| 65 |
> |
| 66 |
>> an example of step (3) could be this: |
| 67 |
>> |
| 68 |
>> ���� https://mail.dom.com/from=...&to=...&cc=...\ |
| 69 |
>> ���� &bcc=...&subject=...&attach1=...&attach2=...\ |
| 70 |
>> ���� &attachn=... |
| 71 |
> |
| 72 |
> If you were to do this, you would NOT do it via GETs with URL |
| 73 |
> parameters.� You would do it as POSTs. |
| 74 |
> |
| 75 |
> You will also have to find a way to deal with all the aspects of SMTP |
| 76 |
> and RFC 822 email + mime.� I suspect that you will find this to be |
| 77 |
> extremely tricky.� Especially if you try to avoid SMTP / RFC 822 |
| 78 |
> semantics b/c SMTP is apparently a bad thing. |
| 79 |
> |
| 80 |
> How does your example scheme account for the fact that the SMTP envelope |
| 81 |
> from address frequently diff from the RFC 822 From: header?� Remember, |
| 82 |
> this very feature is used thousands of times per day.� So you have to |
| 83 |
> have it. |
| 84 |
> |
| 85 |
> There's also many Many MANY other features of SMTP that are also used |
| 86 |
> thousands of times a day that I'm seeing no evidence of. |
| 87 |
> |
| 88 |
>> ���� i don't know how http/2 works.� do they have |
| 89 |
>> ���� POST requests?� if so maybe fields attach1, |
| 90 |
>> ���� attach2, ..., attachn can be submitted as file |
| 91 |
>> ���� uploads using POST. |
| 92 |
>> |
| 93 |
>> further, if we modify steps (1) and (2), we can generalise this |
| 94 |
>> concept into tor services.� e.g.� an email address simply becomes an |
| 95 |
>> onion address.� e.g. if vagzgdrh747aei0q.onion is the hidden service |
| 96 |
>> address of your mail server, then your email address could be written |
| 97 |
>> as (for convenience): |
| 98 |
>> |
| 99 |
>> ���� remco@××××××××××××××××.onion |
| 100 |
> |
| 101 |
> I ... I don't have the words.� Go run that idea past an SEO expert. |
| 102 |
> |
| 103 |
> Go ask people to drop their domain name in favor of a hash. |
| 104 |
> |
| 105 |
> I'm not going to hold my breath. |
| 106 |
> |
| 107 |
> How are you going to handle the billions of email clients that exist |
| 108 |
> today, many of which will never be updated, to handle ToR?� You're going |
| 109 |
> to have to have something to gateway old and new. |
| 110 |
> |
| 111 |
> That means that you're still going to have steps #1 and #2.� You can't |
| 112 |
> get away from them without everybody and everything migrating to the new |
| 113 |
> system.� Even then, chances are still extremely good that you're /still/ |
| 114 |
> going to have #2. |
| 115 |
> |
| 116 |
>> and when a "mail" client tries to submit you an email, it submits it |
| 117 |
>> by this url: |
| 118 |
>> |
| 119 |
>> ���� https://vagzgdrh747aei0q.onion/to=remco&...etc. |
| 120 |
> |
| 121 |
> I haven't the words. |
| 122 |
> |
| 123 |
>> then, in order to authenticate a source, we simply use public-private |
| 124 |
>> keys ... |
| 125 |
> |
| 126 |
> Because that has worked out so well and with so few problems in the past |
| 127 |
> 25 years. |
| 128 |
> |
| 129 |
>> ... to sign messages. |
| 130 |
> |
| 131 |
> Even /more/ unlikely to be ubiquitously adopted. |
| 132 |
> |
| 133 |
>> basically, our public keys become our user identifiers. |
| 134 |
> |
| 135 |
> What?! |
| 136 |
> |
| 137 |
> Now you are taking away the human friendly name in addition to the |
| 138 |
> domain name. |
| 139 |
> |
| 140 |
> People are going to be lined up to hang you. |
| 141 |
> |
| 142 |
>> this will also solve the problem of the case when an onion address |
| 143 |
>> changes. |
| 144 |
> |
| 145 |
> I don't think so. |
| 146 |
> |
| 147 |
>> i call this protocol mailball for the purpose of making speech this |
| 148 |
>> mail thread a bit easier.� of course, we can pick better names, and |
| 149 |
>> refine the mechanics. |
| 150 |
> |
| 151 |
> There are a LOT of mechanics that need to be defined before they can |
| 152 |
> even be refined. |
| 153 |
> |
| 154 |
>> for people who use the deprecated smtp protocol, yes, it will be |
| 155 |
>> "don't spam us, we'll spam you". |
| 156 |
> |
| 157 |
> I think you'll find that your mail(fire)ball will be excommunicated form |
| 158 |
> the rest of the SMTP speaking Internet and never gain enough traction, |
| 159 |
> much less take over and become the norm. |
| 160 |
> |
| 161 |
>> however, that's not our fault.� they are using a deprecated protocol, |
| 162 |
>> and we are just kind enough to allow them an opportunity to talk to us |
| 163 |
>> over the superior mailball protocol. |
| 164 |
> |
| 165 |
> Oh, how graciously thoughtful of yo....� See my previous statement. |
| 166 |
> |
| 167 |
>> basically, they are using deprecated identifiers (email ids) instead |
| 168 |
>> of public keys, and we're kind enough to give them a temporary api so |
| 169 |
>> that we confirm their emails. |
| 170 |
> |
| 171 |
> LOL |
| 172 |
> |
| 173 |
>> on the other hand, people who use mailball will not have this problem. |
| 174 |
>> why?� because ids are public keys anyway, and their messages are |
| 175 |
>> signed by their private keys (the usual drill, won't insult your |
| 176 |
>> intelligence). |
| 177 |
> |
| 178 |
> So, how will mail(fire)ball prevent me from creating as many key pairs |
| 179 |
> as I want and sending you a message from each and every one of them? How |
| 180 |
> does this do anything to prevent spam or viruses? |
| 181 |
> |
| 182 |
> How well does your security hold up when, not if, someone creates a |
| 183 |
> gateway to make it trivial to send SMTP based email into mail(fire)ball? |
| 184 |
> �It will happen just after mail(fire)ball gets just enough traction |
| 185 |
> that people scratch the surface to look at it.� That is if it doesn't |
| 186 |
> happen as part of getting enough people Interested.� Or even your own |
| 187 |
> ""API that you are graciously providing. |
| 188 |
|
| 189 |
|
| 190 |
I find all of this *fascinating*. |
| 191 |
|
| 192 |
So I have threads from 7/28 and others that attempt to discover the |
| 193 |
(gentoo) packages necessary to run my own email services. I have (2) |
| 194 |
R.Pi4 (8Gram) and (2) more on order to build out complete |
| 195 |
mail/DNS/security for a small/moderate number of folks to use. Just me |
| 196 |
to start/test/debug. |
| 197 |
|
| 198 |
I'd like to build out Grant(Taylor) and Ashley's solution for further |
| 199 |
learning and testing, on Rpi4 based gentoo systems. robust security and |
| 200 |
reasonable straightforward (gentoo) admin, is my goal. |
| 201 |
|
| 202 |
Can either or both of you concisely list what I'd need |
| 203 |
(the ebuild list) to implement a basic, but complete, secure email |
| 204 |
system, as delineated in your recent posts? I'd be willing to document |
| 205 |
both the build and running tests, for the greater good of the gentoo |
| 206 |
community. |
| 207 |
If there is interests in the tests and results. |
| 208 |
|
| 209 |
|
| 210 |
Remember, I started this some months ago, cause Frontier does not even |
| 211 |
offer basic email services. I hate all thing cloud (deep desire to be |
| 212 |
100% independent of the cloud) and want the ability to remotely |
| 213 |
retrieve mails and send emails through *my email systems*. I am |
| 214 |
certainly not alone, as some have sent me private email, |
| 215 |
with similar desires. |
| 216 |
|
| 217 |
The big corporations are trying to destroy and remove standards based |
| 218 |
email from the internet. For me, it is my most useful, important and |
| 219 |
most desired feature of the internet. |
| 220 |
|
| 221 |
I'm ordering up (6) static IPs from Frontier. At some point, I'll put |
| 222 |
another primary bandwidth provider under this, with hopefully the |
| 223 |
ability to "bond the pipes" via BGP4 or another capable protocol. |
| 224 |
Keeping the list of codes to a minimum, is appreciated, at least until I |
| 225 |
get the (2) boards up and running. Previously, IPv6 address mapped to |
| 226 |
these boards was suggested. I do not see any reason why both ipv4 and |
| 227 |
ipv6 cannot be mapped (routed if you like) to these R.pi.4 boards |
| 228 |
simultaneously or separately, based on the test vectors under |
| 229 |
developmental/proof study? |
| 230 |
|
| 231 |
|
| 232 |
Sorry for "jumping" this wonderful 'diatribe' but if I post directly, |
| 233 |
via Verizon, to gentoo-user, it mostly bounces (another problem). |
| 234 |
Verizon is dumping their email services too: |
| 235 |
|
| 236 |
https://wiki.gentoo.org/wiki/Complete_Virtual_Mail_Server |
| 237 |
|
| 238 |
https://www.howtoforge.com/perfect_server_gentoo_2007.0 |
| 239 |
|
| 240 |
https://www.androidpolice.com/2020/08/15/this-smartphone-has-physical-kill-switches-for-its-cameras-microphone-data-bluetooth-and-wi-fi/ |
| 241 |
|
| 242 |
motivated and curious, |
| 243 |
James |
Archives