IDN domain name support
Alejandro Cabrera Obed
domain names. I have a mail system conformed with Debian Lenny /
Postfix 2.5.5-1.1.
My question is this:
Does Postfix 2.5.5-1.1 support IDN domain names in case I create a
@ñoño.com.ar domain ??? Or is it a problem inherent only to mail
clients like Outlook, Thunderbird, etc. ???
Special thanks
Alejandro
Victor Duchovni
> Dear all, I live in Argentina and now we can use the ?? letter in our
> domain names. I have a mail system conformed with Debian Lenny /
> Postfix 2.5.5-1.1.
>
> My question is this:
>
> Does Postfix 2.5.5-1.1 support IDN domain names in case I create a
> @??o??o.com.ar domain ??? Or is it a problem inherent only to mail
> clients like Outlook, Thunderbird, etc. ???
Displaying IDN domain names is a client-only issue. Postfix works
with ASCII on-the-wire "xn-<punycode>" names.
Even in bounce messages, where Postfix could arguably process IDN names,
it is far from clear that making bounces only readable by people who can
read Chinese, Arabic, Russian, ... is a good idea. It is best to rely
on MUAs display the structured bounce in the most appropriate way.
--
Viktor.
Alejandro Cabrera Obed
works with ASCII on-the-wire, so if in my Postfix I create a virtual
domain called "ñandu.gov.ar" you tell me that Postfix will
automatically encoded it to Punycode and resulting the domain:
xn--andu-fqa.gov.ar ????
So I can create IDN domain names in my Postfix, and now my unique
objective is ensure that mail clients (MUA's) work with IDN names and
anymore ???
Thanks again !!!!
Alejandro
2010/5/26 Victor Duchovni <Victor....@morganstanley.com>:
--
Alejandro Cabrera Obed
aco...@gmail.com
www.alejandrocabrera.com.ar
Wietse Venema
> Dear all, I live in Argentina and now we can use the ? letter in our
> domain names. I have a mail system conformed with Debian Lenny /
> Postfix 2.5.5-1.1.
>
> My question is this:
>
> Does Postfix 2.5.5-1.1 support IDN domain names in case I create a
> clients like Outlook, Thunderbird, etc. ???
Mail clients must translate non-ASCII domain names into punycode
(xn-mumble) format before issuing SMTP commands (MAIL FROM, RCPT TO).
Wietse
Alejandro Cabrera Obed
domain name or with the xn--oo-yjab.gov.ar punycode domain name ???
For example, in my mail server I define my virtual domains in
/etc/postfix/vmaildomains. How di I have to define it:
ñoño.com.ar required
or
xn--oo-yjab.gov.ar required
?????
The same for the Maildir paths, do they have to be under:
/var/vmail/ñoño.com.ar/user/Maildir
or
/var/vmail/xn--oo-yjab.gov.ar/user/Maildir
????
Thanks a lot
Alejandro
2010/5/26 Wietse Venema <wie...@porcupine.org>:
--
Victor Duchovni
> Wietse, thanks...but in Postfix I have to work with the ??o??o.com.ar
> domain name or with the xn--oo-yjab.gov.ar punycode domain name ???
The latter.
> For example, in my mail server I define my virtual domains in
> /etc/postfix/vmaildomains. How di I have to define it:
>
> ??o??o.com.ar required
>
> or
>
> xn--oo-yjab.gov.ar required
The latter.
> The same for the Maildir paths, do they have to be under:
>
> /var/vmail/??o??o.com.ar/user/Maildir
Entirely up to you and your preferences for file names on your
server.
> /var/vmail/xn--oo-yjab.gov.ar/user/Maildir
Postfix does not dictate how you name (parent) maildir directories.
--
Viktor.
P.S. Morgan Stanley is looking for a New York City based, Senior Unix
system/email administrator to architect and sustain our perimeter email
environment. If you are interested, please drop me a note.
Wietse Venema
> Wietse, thanks...but in Postfix I have to work with the ?o?o.com.ar
> domain name or with the xn--oo-yjab.gov.ar punycode domain name ???
Read carefully.
The MAIL CLIENT must tranform non-ASCII domain names before
sending MAIL FROM or RCPT TO commands.
Wietse
Alejandro Cabrera Obed
client sending a mail to a non-real IDN mail user:
- My Thunderbird says: "An error ocurred while sending mail. Tha mail
servers responded: 5.1.3 Bad recipient address syntax" (THIS IS A
SERVER RESPONSE)
- The Gmail webmail says: "One o more mail address in "To:" box is not
recognized" (THIS IS A CLIENT RESPONSE)
So, I think the IDN domain name support is not complete nowadays,
neither by mail servers nor by mail clients. So it's not convenient
the IDN mail implementation in this bad situation.
What do you think about this matter ???
Really thanks
2010/5/26 Wietse Venema <wie...@porcupine.org>:
--
Brian Evans - Postfix List
> Dear all, I've just made a test from Gmail and my Thunderbird mail
> client sending a mail to a non-real IDN mail user:
>
> alejandro@años.com.ar
>
> - My Thunderbird says: "An error ocurred while sending mail. Tha mail
> servers responded: 5.1.3 Bad recipient address syntax" (THIS IS A
> SERVER RESPONSE)
>
This is due to a (very old) CLIENT bug, [1]
The server is just complaining about bad CLIENT syntax.
[1] https://bugzilla.mozilla.org/show_bug.cgi?id=127399
Alejandro Cabrera Obed
about the Gmail syntax error warning ??? In Hotmail is the same, it
tells me that the recipient address just must have 1-9, a-z and @
characters....in this case with my IDN domain I wiil remain isolate of
the Hotmail, Yahoo, Gmail world and it's not good !!!
Any comment ???
2010/5/27 Brian Evans - Postfix List <grkn...@scent-team.com>:
--
Per Jessen
> Dear all, I've just made a test from Gmail and my Thunderbird mail
> client sending a mail to a non-real IDN mail user:
>
> alejandro@años.com.ar
>
> - My Thunderbird says: "An error ocurred while sending mail. Tha mail
> servers responded: 5.1.3 Bad recipient address syntax" (THIS IS A
> SERVER RESPONSE)
>
> - The Gmail webmail says: "One o more mail address in "To:" box is not
> recognized" (THIS IS A CLIENT RESPONSE)
>
> So, I think the IDN domain name support is not complete nowadays,
> neither by mail servers nor by mail clients. So it's not convenient
> the IDN mail implementation in this bad situation.
>
> What do you think about this matter ???
I think you're wrong - my thunderbird and my postfix does fine with
mails to and from @ënidan.ch (a test domain I set about two years
ago).
/Per Jessen, Zürich
Victor Duchovni
> OK, this is in case of my Thunderbird Debian lenn package, but what
> about the Gmail syntax error warning ??? In Hotmail is the same, it
> tells me that the recipient address just must have 1-9, a-z and @
> characters....in this case with my IDN domain I wiil remain isolate of
> the Hotmail, Yahoo, Gmail world and it's not good !!!
Please waste no further time on this list. Postfix works with IDN. If
many clients still don't, that is NOT a Postfix issue. The clients
MUST (if they support IDN domains) send punycode encoded domains to
the SMTP server.
--
Viktor.
Per Jessen
>> So, I think the IDN domain name support is not complete nowadays,
>> neither by mail servers nor by mail clients. So it's not convenient
>> the IDN mail implementation in this bad situation.
>>
>> What do you think about this matter ???
>
> I think you're wrong - my thunderbird and my postfix does fine with
> mails to and from @ënidan.ch (a test domain I set about two years
> ago).
Correction - thunderbird doesn't work with IDNs. TB 3.0 is supposed to
though.
/Per Jessen, Zürich
Pat
>> domain name or with the xn--oo-yjab.gov.ar punycode domain name ???
>
> sending MAIL FROM or RCPT TO commands.
ICANN did not really consider the security and portability of IDNs before
permitting them. The reasons for this are many, and speak poorly to ICANN's
management structure. It is important to remember that ICANN's action does not
mean that end-users are prepared to accept mail from such domains, or that doing so
would be secure, much less that operating systems, libraries, and applications are
capable of dealing with IDNs safely.
Whether IDNs will ever be portable is a matter of debate. Right now they are in
early-alpha status i.e., not ready for production. This might be OK for some DNS
and SMTP implementations but for most production systems they pose too high of a
risk. The increase in complexity of each OS, lib, and app required to accommodate
IDNs is non-trivial. Widespread implementation would degrade security in and of
itself (because of the relationship between code size and security among other
factors).
Speaking only for myself, for the foreseeable future we are not interested in
experimental code and do not want to use a version of bind or postfix that cannot
be compiled to refuse IDNs.
Pat
LuKreme
>
> we are not interested in
> experimental code and do not want to use a version of bind or postfix that cannot
> be compiled to refuse IDNs.
If you refuse properly delegated IDNs then you are broken, pure and simple.
This is WHY punycode exists, as it requires no rewriting (or very little) of libraries to be UTF-8 clean.
--
There's nothing to do, so you just stay in bed [ah, poor thing] Why live
in the world when you can live in your head?
Victor Duchovni
> ICANN did not really consider the security and portability of IDNs
> before permitting them. The reasons for this are many, and speak
> poorly to ICANN's management structure. It is important to remember
> that ICANN's action does not mean that end-users are prepared to accept
> mail from such domains, or that doing so would be secure, much less
> that operating systems, libraries, and applications are
> capable of dealing with IDNs safely.
However true any of the above may be, it is not Postfix related.
> Whether IDNs will ever be portable is a matter of debate. Right now
> they are in early-alpha status i.e., not ready for production. This
> might be OK for some DNS and SMTP implementations but for most production
> systems they pose too high of a risk.
The only place that IDNs are in any way interesting is in user-agents,
since that's where xn--foo-bar gets turned into something that a user
who can read the relevant glyphs can understand. Infrastructure (as
opposed to user-facing client software) is IDN agnostic, because IDN
domain names are just like any other ASCII domain name.
> Speaking only for myself, for the foreseeable future we are not interested in
> experimental code and do not want to use a version of bind or postfix
> that cannot be compiled to refuse IDNs.
There is no code in Postfix to support IDN, and nothing to re-compile.
IDN domains are just like non-IDN domains, and work out of the box.
If you absolutely want to reject IDN dns labels, just adjust your
access tables:
sender_access.pcre:
/@(\S+\.)*?xn--/ REJECT No room for IDN domains on my soapbox
--
Viktor.