Hello,
I am working on our own SPF (Classic,
http://spf.pobox.com/spf-draft-200406.txt) implementation and while I
was testing it using the SPF test package data (test_live.txt) from
libspf2, I got some odd results. Some tests were not passed and it
appears that it is not our code's fault -- at least it looks we
interpret the "standard" differently or I overlook something (e.g.
local policy, libspf2's implemented standard)
Can you confirm if I am wrong or correct about the issues below?
libspf2 version: 1.2.5
Issue 1)
--------
Command: spfquery -ip=192.0.2.1 -sender=05.spf1-test.mailzone.com
-helo=05.spf1-test.mailzone.com
Expected result: fail
Our result: neutral
SPF record: 05.spf1-test.mailzone.com TXT -> v=spf1 default=deny
As "default=deny" is an unknown modifier, our implementation silently
ignores it (SPF-C "3.2 SPF Directive Evaluation" paragraph 1). Because
no matching mechanism is found and there are no includes/redirectors,
we must return "neutral", according to SPF-C "3.3 Default result".
Issue 2)
--------
Command: spfquery -ip=192.0.2.200 -sender=56.spf1-test.mailzone.com
-helo=56.spf1-test.mailzone.com
Expected result: none
Our result: unknown
SPF record: - (got NXDOMAIN)
SPF-C section "2.2.2 Lookup" paragraph 4 says "If the domain does not
exist (NXDOMAIN), SPF clients MUST return >>unknown<<". There is no
parent domain TXT published, so the processing cannot fall back to the
parent domain (and it is not even supported by our implementation).
Issue 3)
--------
Command: spfquery -ip=64.236.24.4 -sender=80.spf1-test.mailzone.com
-helo=80.spf1-test.mailzone.com
Expected result: fail
Our result: PermError (would map to error/unknown)
SPF record: v=spf1 a mx
exists:%{ir}.%{v}._spf.80.spf1-test.mailzone.com ptr -all
The "a" mechanism does not match (80.spf1-test.mailzone.com A RR ->
208.210.124.180), so our code continues with the "mx" mechanism.
80.spf1-test.mailzone.com does not have an MX, so we terminate the
processing and return with error indicating a DNS problem. We
interpret section "3.2 SPF Directive Evaluation" paragraph "If it
throws an exception, mechanism processing ends and the exception value
is returned (either "error" indicating a temporary failure, usually
DNS-related, or "unknown" indicating a syntax error or other permanent
failure resulting in incomplete processing.)" the way that we should
terminate processing here. This sounds reasonable, because continuing
the evaluation may end up in rejecting email, due to a "-all".
A variation of this issue is "spfquery -ip=192.0.2.80
-sender=80.spf1-test.mailzone.com -helo=80.spf1-test.mailzone.com",
the same problem occurs.
Issue 4)
--------
Command: spfquery -ip=192.0.2.200 -sender=112.spf1-test.mailzone.com
-helo=112.spf1-test.mailzone.com
Expected result: unknown
Our result: pass
SPF record: v=spf1 a mp3 ~all
We get pass on "a" the mechnism, because 112.spf1-test.mailzone.com A
RR -> 192.0.2.200. While SPF-C section "3.2 SPF Directive Evaluation"
says that "Unknown mechanisms cause processing to abort with the
result >>unknown<<. Unknown modifiers are ignored by clients." and
"mp3" is certainly a mechanism, section "6.1 Unrecognized Mechanisms
and Modifiers" paragraph 2 says "Mechanisms listed before the unknown
mechanism MUST, however, be evaluated.".
A variation of this issue is "spfquery -ip=192.0.2.200
-sender=113.spf1-test.mailzone.com -helo=113.spf1-test.mailzone.com".
Issue 5)
--------
Command: spfquery -ip=192.0.2.200 -sender=115.spf1-test.mailzone.com
-helo=115.spf1-test.mailzone.com
Expected result: unknown
Our result: pass
SPF record: v=spf1 a mp3=yes -all
Unknown modifiers must be ignored. 115.spf1-test.mailzone.com A RR =
192.0.2.200, mechanism "a" matches with + implicit prefix, so we have
"pass".
It is the same with "spfquery -ip=1.2.3.4
-sender=115.spf1-test.mailzone.com -helo=115.spf1-test.mailzone.com",
except that we generate "fail" instead of "unknown".
Issue 6)
--------
Command: spfquery -ip=192.0.2.200 -sender=116.spf1-test.mailzone.com
-helo=116.spf1-test.mailzone.com
Expected result: fail
Our result: pass
SPF record: v=spf1 redirect=116rdr.spf1-test.mailzone.com a
"Redirect" is a global and singular modifier, it should be evaluated
after all mechanisms are evaluated without a match, so our code takes
"a" first. 116.spf1-test.mailzone.com A RR -> 192.0.2.200, so there is
no need to evaluate the "redirect" modifier. Section "5.1 redirect:
Redirected Query" says "If all mechanisms fail to match, and a
redirect modifier is present, then processing proceeds as follows.".
Peter
P.S.: Sorry for posting this to spf-devel, but I got no response to my
Libspf2 issue tracker submission (07/04).
-------
To unsubscribe, change your address, or temporarily deactivate your subscription,
please go to http://v2.listbox.com/member/?listname=spf-devel@v2.listbox.com
I am working on our own SPF (Classic,
http://spf.pobox.com/spf-draft-200406.txt) implementation and while I
was testing it using the SPF test package data (test_live.txt) from
libspf2, I got some odd results. Some tests were not passed and it
appears that it is not our code's fault -- at least it looks we
interpret the "standard" differently or I overlook something (e.g.
local policy, libspf2's implemented standard)
Can you confirm if I am wrong or correct about the issues below?
libspf2 version: 1.2.5
Issue 1)
--------
Command: spfquery -ip=192.0.2.1 -sender=05.spf1-test.mailzone.com
-helo=05.spf1-test.mailzone.com
Expected result: fail
Our result: neutral
SPF record: 05.spf1-test.mailzone.com TXT -> v=spf1 default=deny
As "default=deny" is an unknown modifier, our implementation silently
ignores it (SPF-C "3.2 SPF Directive Evaluation" paragraph 1). Because
no matching mechanism is found and there are no includes/redirectors,
we must return "neutral", according to SPF-C "3.3 Default result".
Issue 2)
--------
Command: spfquery -ip=192.0.2.200 -sender=56.spf1-test.mailzone.com
-helo=56.spf1-test.mailzone.com
Expected result: none
Our result: unknown
SPF record: - (got NXDOMAIN)
SPF-C section "2.2.2 Lookup" paragraph 4 says "If the domain does not
exist (NXDOMAIN), SPF clients MUST return >>unknown<<". There is no
parent domain TXT published, so the processing cannot fall back to the
parent domain (and it is not even supported by our implementation).
Issue 3)
--------
Command: spfquery -ip=64.236.24.4 -sender=80.spf1-test.mailzone.com
-helo=80.spf1-test.mailzone.com
Expected result: fail
Our result: PermError (would map to error/unknown)
SPF record: v=spf1 a mx
exists:%{ir}.%{v}._spf.80.spf1-test.mailzone.com ptr -all
The "a" mechanism does not match (80.spf1-test.mailzone.com A RR ->
208.210.124.180), so our code continues with the "mx" mechanism.
80.spf1-test.mailzone.com does not have an MX, so we terminate the
processing and return with error indicating a DNS problem. We
interpret section "3.2 SPF Directive Evaluation" paragraph "If it
throws an exception, mechanism processing ends and the exception value
is returned (either "error" indicating a temporary failure, usually
DNS-related, or "unknown" indicating a syntax error or other permanent
failure resulting in incomplete processing.)" the way that we should
terminate processing here. This sounds reasonable, because continuing
the evaluation may end up in rejecting email, due to a "-all".
A variation of this issue is "spfquery -ip=192.0.2.80
-sender=80.spf1-test.mailzone.com -helo=80.spf1-test.mailzone.com",
the same problem occurs.
Issue 4)
--------
Command: spfquery -ip=192.0.2.200 -sender=112.spf1-test.mailzone.com
-helo=112.spf1-test.mailzone.com
Expected result: unknown
Our result: pass
SPF record: v=spf1 a mp3 ~all
We get pass on "a" the mechnism, because 112.spf1-test.mailzone.com A
RR -> 192.0.2.200. While SPF-C section "3.2 SPF Directive Evaluation"
says that "Unknown mechanisms cause processing to abort with the
result >>unknown<<. Unknown modifiers are ignored by clients." and
"mp3" is certainly a mechanism, section "6.1 Unrecognized Mechanisms
and Modifiers" paragraph 2 says "Mechanisms listed before the unknown
mechanism MUST, however, be evaluated.".
A variation of this issue is "spfquery -ip=192.0.2.200
-sender=113.spf1-test.mailzone.com -helo=113.spf1-test.mailzone.com".
Issue 5)
--------
Command: spfquery -ip=192.0.2.200 -sender=115.spf1-test.mailzone.com
-helo=115.spf1-test.mailzone.com
Expected result: unknown
Our result: pass
SPF record: v=spf1 a mp3=yes -all
Unknown modifiers must be ignored. 115.spf1-test.mailzone.com A RR =
192.0.2.200, mechanism "a" matches with + implicit prefix, so we have
"pass".
It is the same with "spfquery -ip=1.2.3.4
-sender=115.spf1-test.mailzone.com -helo=115.spf1-test.mailzone.com",
except that we generate "fail" instead of "unknown".
Issue 6)
--------
Command: spfquery -ip=192.0.2.200 -sender=116.spf1-test.mailzone.com
-helo=116.spf1-test.mailzone.com
Expected result: fail
Our result: pass
SPF record: v=spf1 redirect=116rdr.spf1-test.mailzone.com a
"Redirect" is a global and singular modifier, it should be evaluated
after all mechanisms are evaluated without a match, so our code takes
"a" first. 116.spf1-test.mailzone.com A RR -> 192.0.2.200, so there is
no need to evaluate the "redirect" modifier. Section "5.1 redirect:
Redirected Query" says "If all mechanisms fail to match, and a
redirect modifier is present, then processing proceeds as follows.".
Peter
P.S.: Sorry for posting this to spf-devel, but I got no response to my
Libspf2 issue tracker submission (07/04).
-------
To unsubscribe, change your address, or temporarily deactivate your subscription,
please go to http://v2.listbox.com/member/?listname=spf-devel@v2.listbox.com