Mailing List Archive: Implementing SPF at POP3 level....

Implementing SPF at POP3 level....

Dec 21, 2004, 4:42 AM

Post #1 of 6 (2662 views)

Hi All,

We are currently developing our internal POP3 server and would like to implement sender verification checks at the message retrieval stage. I've read through the basic whitepapers and have also looked through Microsofts senderID stuff, but am a little confused on the way to go.

I think we want SPF, but ideally would like to look through some sample code of any current implemntations that verify a sender via SPF. We are coding in VB.Net but code in most languages would be useful for us to start with.

Does anyone know of any sample code implementing SPF?

Thanks,

Dan

-------
To unsubscribe, change your address, or temporarily deactivate your subscription,
please go to http://v2.listbox.com/member/?listname=spf-devel@v2.listbox.com

Re: Implementing SPF at POP3 level.... [ In reply to ]

william at elan

Dec 21, 2004, 6:19 AM

Post #2 of 6 (2628 views)

Permalink

Please do not implement SPF checking at POP3 stage - this will be a
incorrect use of the technology. SPF as well as SID are designed for
verification of MTA-MTA hop based on MTA ip address at the time of
SMTP transmission by another MTA. The POP3 email retrieval is outside
SMTP transmission stange after email delivery happened and you:

1. Do not know for certain what was an ip address of previous MTA and
have to make a guess based on data in Received headers - this
is herecy and thus unreliable information.
2. Received headers are not well standartized and information on MTA
ip address is not required to be part of it and different MTAs add
this info differently.
3. Since you're doing verification after the time of delivery it is
possible for SPF record to have been changed which could potentially
mean a failure results instead of pass

On Tue, 21 Dec 2004, Dan Field wrote:

> Hi All,
>
> We are currently developing our internal POP3 server and would like to
> implement sender verification checks at the message retrieval stage.
> I've read through the basic whitepapers and have also looked through
> Microsofts senderID stuff, but am a little confused on the way to go.
>
> I think we want SPF, but ideally would like to look through some sample
> code of any current implemntations that verify a sender via SPF. We are
> coding in VB.Net but code in most languages would be useful for us to
> start with.
>
> Does anyone know of any sample code implementing SPF?
>
> Thanks,
>
>
> Dan
>
> -------
> To unsubscribe, change your address, or temporarily deactivate your subscription,
> please go to http://v2.listbox.com/member/?listname=spf-devel@v2.listbox.com
>

--
William Leibzon
Elan Networks
william@elan.net

-------
To unsubscribe, change your address, or temporarily deactivate your subscription,
please go to http://v2.listbox.com/member/?listname=spf-devel@v2.listbox.com

Re: Implementing SPF at POP3 level.... [ In reply to ]

tauberer at for

Dec 21, 2004, 7:43 AM

Post #3 of 6 (2629 views)

Permalink

william(at)elan.net wrote:
> Please do not implement SPF checking at POP3 stage - this will be a
> incorrect use of the technology.

I really don't understand this incorrect use of the technology that I
keep hearing. How can you even judge a use to be incorrect without even
knowing what the result of the SPF check will be used for?

In response to the original poster, there are a bunch of libraries
implementing SPF at:
http://spf.pobox.com/downloads.html
Hopefully you can just plug in an existing implementation into your
program, or else you can look at their source code. But, as William
pointed out, there are a number of problematic issues with using SPF at
that point.

--
- Joshua Tauberer

http://taubz.for.net

** Nothing Unreal Exists **

-------
To unsubscribe, change your address, or temporarily deactivate your subscription,
please go to http://v2.listbox.com/member/?listname=spf-devel@v2.listbox.com

RE: Implementing SPF at POP3 level.... [ In reply to ]

dan.field at accessemedia

Dec 21, 2004, 7:48 AM

Post #4 of 6 (2673 views)

Permalink

Thanks,

I understand the problems with checking at POP3 level, but this is just a short term measure to help with identifying a valid sender.... I am hoping like most people on this list that SPF does become widespread at the transport level.

Dan

-----Original Message-----
From: owner-spf-devel@v2.listbox.com
[mailto:owner-spf-devel@v2.listbox.com]On Behalf Of Joshua Tauberer
Sent: 21 December 2004 15:44
To: spf-devel@v2.listbox.com
Subject: Re: [spf-devel] Implementing SPF at POP3 level....

william(at)elan.net wrote:
> Please do not implement SPF checking at POP3 stage - this will be a
> incorrect use of the technology.

I really don't understand this incorrect use of the technology that I
keep hearing. How can you even judge a use to be incorrect without even
knowing what the result of the SPF check will be used for?

In response to the original poster, there are a bunch of libraries
implementing SPF at:
http://spf.pobox.com/downloads.html
Hopefully you can just plug in an existing implementation into your
program, or else you can look at their source code. But, as William
pointed out, there are a number of problematic issues with using SPF at
that point.

--
- Joshua Tauberer

http://taubz.for.net

** Nothing Unreal Exists **

-------
To unsubscribe, change your address, or temporarily deactivate your subscription,
please go to http://v2.listbox.com/member/?listname=spf-devel@v2.listbox.com

-------
To unsubscribe, change your address, or temporarily deactivate your subscription,
please go to http://v2.listbox.com/member/?listname=spf-devel@v2.listbox.com

Re: Implementing SPF at POP3 level.... [ In reply to ]

william at elan

Dec 21, 2004, 8:20 AM

Post #5 of 6 (2657 views)

Permalink

On Tue, 21 Dec 2004, Joshua Tauberer wrote:

> william(at)elan.net wrote:
> > Please do not implement SPF checking at POP3 stage - this will be a
> > incorrect use of the technology.
>
> I really don't understand this incorrect use of the technology that I
> keep hearing. How can you even judge a use to be incorrect without even
> knowing what the result of the SPF check will be used for?

That is fair comment however generally unless otherwise noted we have to
assume that SPF would be used as described by SPF draft - which is to
prevent accepting email with presumably forged envelope MAIL-FROM.
That is after all what people who published SPF records are doing it
for and as you may have heard during last 1/2/3/... months there is a
quite a number of people on this list who are concerned about SPF dns
records being used in some other manner which may result in number of
failers which some may attribute to SPF when in fact it is the result of
improper use of the records in some other way.

--
William Leibzon
Elan Networks
william@elan.net

-------
To unsubscribe, change your address, or temporarily deactivate your subscription,
please go to http://v2.listbox.com/member/?listname=spf-devel@v2.listbox.com

Re: Implementing SPF at POP3 level.... [ In reply to ]

mengwong at dumbo

Dec 21, 2004, 9:27 PM

Post #6 of 6 (2639 views)

Permalink

On Tue, Dec 21, 2004 at 03:48:20PM -0000, Dan Field wrote:
| Thanks,
|
| I understand the problems with checking at POP3 level, but this is just a short term measure to help with identifying a valid sender.... I am hoping like most people on this list that SPF does become widespread at the transport level.

I think at the POP3 level the best you can do is say "yes,
it passed", and if it didn't pass you say "it didn't pass"
--- so we take the sting out of the "fail" cases.

-------
To unsubscribe, change your address, or temporarily deactivate your subscription,
please go to http://v2.listbox.com/member/?listname=spf-devel@v2.listbox.com