[milters] Archive

Lists Index Date Thread Search

Article: 632
From: Anthony Howe
Date: 2005-07-01 16:01:07 -0400
Subject: Re: New milter-spiff : A SPF-Classic implementation.

Removal...........: milters-request@milter.info?subject=remove
More information..: http://www.milter.info/#Support
--------------------------------------------------------

Michael Elliott wrote:
> Anthony Howe wrote:
> 
>>Note that this is completely an independent implementation. I don't use 
>>libspf nor libspf2. I wrote it from scratch based on the IETF Internet 
>>Draft 02. I support all the interesting bits of the spec. except some 
>>macros (s, l, o, c, r, t) and I don't bother with the "exp=" modifier.
> 
> 
> Without the macros, it is worse than useless.  I require the macros to

The %{c}, %{r}, and %{t} macros only apply to the "exp=" explination 
modifier which is not supported adn not a MUST requirement. The %{s}, 
%{l}, and %{o} refer to elements of the MAIL FROM: argument and %{h}, 
the HELO argument. However, spfCheckDomain() is not implemented like 
check_host() as described in the Internet Draft.

spfCheckDomain(client-ip, domain, result) can be called out of the 
context of an SMTP session and so elements such as the HELO argument and 
MAIL FROM: argument may be non-existant. check_host() as described by 
the Intente Draft assumes an SMTP context, but I could imagine such a 
function being use outside such a context in which you only have a 
domain name to work with and not a HELO or MAIL FROM: argument.

> authorize on a per user basis for some of my domains, and I need them for
> logging on all of my domains.  It is the only way to see who is trying 
> to send mail from a non-authorized source ip so I can get their system 
> reconfigured.
> 
> "v=spf1 a mx exists:softI.%{i}.F.%{l}.%{o}.H.%{h}.spf.isp.net ~all"
> for soft fails for a month of tracking, and when I cam confident that
> everyone is working properly and I have added any special cases,
> "v=spf1 a mx ip4:1.2.3.4/29 ?ptr:city.dsl.provider.net 
>   exists:hardI.%{i}.F.%{l}.%{o}.H.%{h}.spf.isp.net -all"
> which will still log the domain for any new users that try to go 
> out of bounds.  
> 
> Combined with a bind9 server that is logging requests gives me full 
> tracking of who is working outside their boundary.  Without dns logging
> you are guessing as to whether the users are staying within their bounds
> or not.  If you are guessing, you can never confidently go to -all
> which is the whole goal of spf.

The logging is unnecessary when using SMTP+AUTH as is recommended with 
SPF, since all known users should send mail for a domain via their mail 
provider.

> The reason I say worse than useless is that if anyone other than me
> installs this, their system will not invoke the exists: clause, and 
> I will not get a dns hit saying the user is out of bounds.  Therefore,
> a soft or hard fail will go unnoticed.
> 
> So, please put the macros in.  All of the spec has to be implemented
> if it is going to work correctly.

I beg to differ, but I'm willing to listen to further arguments and 
examples. Put of my design choice was based on what I saw as useful. I'm 
willing to be convinced otherwise. You argument is certainly interesting.

> I just went checking my logs,  *It appears* that someone behind the 
> dns server mx15.global.net.uk is already trying your software.  
> *If this is your software*, it is screwing up and giving me 
> 
> the IP correctly, %{i}
> the user correctly, %{l}

Couldn't be me, since I don't support %{l} (yet)

> the origial domain %{o} is being filled with the domain name of the 

Don't support ${o} so it can be my implmentation, because 
spfCheckDomain() call would generate a PermError for the client which is 
treated like a None/Neutral result, since the Internet Draft does not 
specify or recommend what actions should be taken for PermError.

> connecting ip address instead of the domain name used in the email address.  
> In other words, %{o} is is being filled in with `host %{i}` information 
> instead of being the right half of the email address being verified.
> the helo correctly %{h}
> 
> Therefore, the logging is useless because I do not know which
> domain name is being checked.
> 
> And remember that %{o} is the domain of the original email address
> to be checked, while %{d} is the domain of any include or redirect
> clause being checked.  libspf1 has a problem with this for a little
> while.  I still see hits in my logs for the broken version.
> 
> exp= is required so a domain's sysadmin can yell directly at his 
> own users through the smtp reject message that they are using the 
> wrong server and give them information on how to fix the situation.  

exp= won't happen. I supply my own error messages in the milters and its 
not a MUST requirement as far as I can see.

> So again, please put the macros and exp= in.  All of the spec has to be 
> implemented if it is going to work correctly.
> 
> Yes, spf is useful.  My logs show that several domains I have it 
> implemented on are blocking 2,000+ forgeries per day.  A rough
> estimate puts about 95% of them as virus generated.
> 
> -Mike Elliott
> Msen Sysadmin
> 


-- 
Anthony C Howe                                 +33 6 11 89 73 78
http://www.snert.com/       ICQ:
7116561         AIM: Sir Wumpus

Sendmail Anti-Spam Solutions           http://www.snertsoft.com/
                                             We Serve Your Server

Lists Index Date Thread Search