[milters] Archive

Lists Index Date Thread Search

Article: 631
From: Michael Elliott
Date: 2005-07-01 15:31:07 -0400
Subject: Re: New milter-spiff : A SPF-Classic implementation.

Removal...........: milters-request@milter.info?subject=remove
More information..: http://www.milter.info/#Support
--------------------------------------------------------

Anthony Howe wrote:
> 
> Note that this is completely an independent implementation. I don't use 
> libspf nor libspf2. I wrote it from scratch based on the IETF Internet 
> Draft 02. I support all the interesting bits of the spec. except some 
> macros (s, l, o, c, r, t) and I don't bother with the "exp=" modifier.

Without the macros, it is worse than useless.  I require the macros to
authorize on a per user basis for some of my domains, and I need them for
logging on all of my domains.  It is the only way to see who is trying 
to send mail from a non-authorized source ip so I can get their system 
reconfigured.

"v=spf1 a mx exists:softI.%{i}.F.%{l}.%{o}.H.%{h}.spf.isp.net ~all"
for soft fails for a month of tracking, and when I cam confident that
everyone is working properly and I have added any special cases,
"v=spf1 a mx ip4:1.2.3.4/29 ?ptr:city.dsl.provider.net 
  exists:hardI.%{i}.F.%{l}.%{o}.H.%{h}.spf.isp.net -all"
which will still log the domain for any new users that try to go 
out of bounds.  

Combined with a bind9 server that is logging requests gives me full 
tracking of who is working outside their boundary.  Without dns logging
you are guessing as to whether the users are staying within their bounds
or not.  If you are guessing, you can never confidently go to -all
which is the whole goal of spf.

The reason I say worse than useless is that if anyone other than me
installs this, their system will not invoke the exists: clause, and 
I will not get a dns hit saying the user is out of bounds.  Therefore,
a soft or hard fail will go unnoticed.

So, please put the macros in.  All of the spec has to be implemented
if it is going to work correctly.

I just went checking my logs,  *It appears* that someone behind the 
dns server mx15.global.net.uk is already trying your software.  
*If this is your software*, it is screwing up and giving me 

the IP correctly, %{i}
the user correctly, %{l}
the origial domain %{o} is being filled with the domain name of the 
connecting ip address instead of the domain name used in the email address.  
In other words, %{o} is is being filled in with `host %{i}` information 
instead of being the right half of the email address being verified.
the helo correctly %{h}

Therefore, the logging is useless because I do not know which
domain name is being checked.

And remember that %{o} is the domain of the original email address
to be checked, while %{d} is the domain of any include or redirect
clause being checked.  libspf1 has a problem with this for a little
while.  I still see hits in my logs for the broken version.

exp= is required so a domain's sysadmin can yell directly at his 
own users through the smtp reject message that they are using the 
wrong server and give them information on how to fix the situation.  

So again, please put the macros and exp= in.  All of the spec has to be 
implemented if it is going to work correctly.

Yes, spf is useful.  My logs show that several domains I have it 
implemented on are blocking 2,000+ forgeries per day.  A rough
estimate puts about 95% of them as virus generated.

-Mike Elliott
Msen Sysadmin


Lists Index Date Thread Search