Mailing List Archive

Re: "Last Call" pending exp= (empty) erratum
Hi, the discussion about the empty exp= issue had no
clear result. In the spirit of "running code", what
do "real" SPF implementations when they stumble over
an empty exp= as in "v=spf1 exp=" ?

Ignore it returning NEUTRAL for this minimal example,
or report it as PERMERROR ?

Frank

-------------------------------------------
-----------------------------------------------------------------------
To unsubscribe, change your address, or temporarily deactivate your
subscription,
please go to http://v2.listbox.com/member/?member_id=1311533&id_secret=67081159-bba949
Powered by Listbox: http://www.listbox.com
Re: Re: "Last Call" pending exp= (empty) erratum [ In reply to ]
On Tuesday 20 November 2007 06:27, Frank Ellermann wrote:
> Hi, the discussion about the empty exp= issue had no
> clear result. In the spirit of "running code", what
> do "real" SPF implementations when they stumble over
> an empty exp= as in "v=spf1 exp=" ?
>
> Ignore it returning NEUTRAL for this minimal example,
> or report it as PERMERROR ?
>
pyspf 2.0.4 returns Permanent Error: Empty domain-spec on exp=

Scott K

-------------------------------------------
-----------------------------------------------------------------------
To unsubscribe, change your address, or temporarily deactivate your
subscription,
please go to http://v2.listbox.com/member/?member_id=1311533&id_secret=67109784-96ee0a
Powered by Listbox: http://www.listbox.com
Re: "Last Call" pending exp= (empty) erratum [ In reply to ]
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Frank Ellermann wrote:
> Hi, the discussion about the empty exp= issue had no clear result. In
> the spirit of "running code", what do "real" SPF implementations when
> they stumble over an empty exp= as in "v=spf1 exp=" ?
>
> Ignore it returning NEUTRAL for this minimal example, or report it as
> PERMERROR ?

Mail::SPF returns PermError.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)

iD8DBQFHQuY7wL7PKlBZWjsRAtzfAJ9jClpElzIUGlGCakX97Eex8LqR2gCghdxl
0QwqZc9S02zZ8NFBK7Z4sfk=
=Srfe
-----END PGP SIGNATURE-----

-------------------------------------------
-----------------------------------------------------------------------
To unsubscribe, change your address, or temporarily deactivate your
subscription,
please go to http://v2.listbox.com/member/?member_id=1311533&id_secret=67113047-a07f5c
Powered by Listbox: http://www.listbox.com
Re: Re: "Last Call" pending exp= (empty) erratum [ In reply to ]
Scott Kitterman wrote:

> pyspf 2.0.4 returns Permanent Error: Empty domain-spec on exp=

Thanks, Scott and Julian. IOW "running code" does not support
"option 1" for this wannabe erratum. Maybe that also helps to
sort out "option 2" vs. "option 3", example policy:

"v=spf1 a -all exp=%{h}" after a FAIL, with a macro-expression
yielding an empty or otherwise unusable <target-name>, do you
report FAIL, or do you report an error for the <target-name> ?

Frank

-------------------------------------------
-----------------------------------------------------------------------
To unsubscribe, change your address, or temporarily deactivate your
subscription,
please go to http://v2.listbox.com/member/?member_id=1311533&id_secret=67117935-afb216
Powered by Listbox: http://www.listbox.com
Re: "Last Call" pending exp= (empty) erratum [ In reply to ]
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Frank Ellermann wrote:
> Scott Kitterman wrote:
> > pyspf 2.0.4 returns Permanent Error: Empty domain-spec on exp=
>
> Thanks, Scott and Julian. IOW "running code" does not support
> "option 1" for this wannabe erratum. Maybe that also helps to sort out
> "option 2" vs. "option 3", example policy:
>
> "v=spf1 a -all exp=%{h}" after a FAIL, with a macro-expression yielding
> an empty or otherwise unusable <target-name>, do you report FAIL, or do
> you report an error for the <target-name> ?

%{h} can never yield an empty <target-name>.

Generally, RFC 4408 6.2/4 requires errors in _evaluating_ (not parsing)
the "exp=" modifier to be ignored as if the modifier was absent:

| If domain-spec is empty, or there are any DNS processing errors (any
| RCODE other than 0), or if no records are returned, or if more than one
| record is returned, or if there are syntax errors in the explanation
| string, then proceed as if no exp modifier was given.

So RFC 4408 implies a result of "Fail" for the above example of yours, and
this is what Mail::SPF does.

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)

iD8DBQFHRM1SwL7PKlBZWjsRApvoAKCMPkAPOQLJSNJ8g7TgS1liyiwoVwCeJ76f
i8l+ceDMVv5NT6RNTprfGvA=
=gTpf
-----END PGP SIGNATURE-----

-------------------------------------------
-----------------------------------------------------------------------
To unsubscribe, change your address, or temporarily deactivate your
subscription,
please go to http://v2.listbox.com/member/?member_id=1311533&id_secret=67800543-6955ac
Powered by Listbox: http://www.listbox.com
Re: "Last Call" pending exp= (empty) erratum [ In reply to ]
Julian Mehnle wrote:


If there's no HELO / EHLO at all, or just the verb without a name, then
%{h} would be empty / undefined. That's an SMTP syntax error, but
receivers could nevertheless decide to talk to the client.

Likely there are more plausible examples how <target-name> could
end up "empty" or otherwise unusable.
[...]

> RFC 4408 implies a result of "Fail" for the above example of yours,
> and this is what Mail::SPF does.

Okay, toss a coin between option 2 and 3 for this erratum ? Or we
could use Ned's trick, your proposal (option 2) is shorter, and if in
doubt shorter wins. (Disclaimer, Ned uses that for spelling issues ;-)

Frank

-------------------------------------------
-----------------------------------------------------------------------
To unsubscribe, change your address, or temporarily deactivate your
subscription,
please go to http://v2.listbox.com/member/?member_id=1311533&id_secret=67889919-157215
Powered by Listbox: http://www.listbox.com
Re: "Last Call" pending exp= (empty) erratum [ In reply to ]
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Frank Ellermann wrote:
> Julian Mehnle wrote:
>
> If there's no HELO / EHLO at all, or just the verb without a name, then
> %{h} would be empty / undefined. That's an SMTP syntax error, but
> receivers could nevertheless decide to talk to the client.
>
> Likely there are more plausible examples how <target-name> could
> end up "empty" or otherwise unusable.
> [...]

OK, but then it's not our problem how implementations deal with it.
Unspecified input -> unspecified output.

> > RFC 4408 implies a result of "Fail" for the above example of yours,
> > and this is what Mail::SPF does.
>
> Okay, toss a coin between option 2 and 3 for this erratum ? Or we
> could use Ned's trick, your proposal (option 2) is shorter, and if in
> doubt shorter wins. (Disclaimer, Ned uses that for spelling issues ;-)

I vote for option 2.

Note however that the change inherent to option 2 only covers the "v=spf1
exp=" class of cases, not the "v=spf1 exp=%{macro-expression}" (with the
macro expression evaluating to the empty string) class of cases. The
latter is not a syntax error, but is to be considered a DNS processing
error, which is already covered by RFC 4408 as is.

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)

iD8DBQFHTDyGwL7PKlBZWjsRAlOfAJ9iilTkHhrlc6ce+pudmfyH0TfyzQCg+NrJ
SVW6IjgL6l9Daz7k1sGnNTQ=
=SqAf
-----END PGP SIGNATURE-----

-------------------------------------------
-----------------------------------------------------------------------
To unsubscribe, change your address, or temporarily deactivate your
subscription,
please go to http://v2.listbox.com/member/?member_id=1311533&id_secret=69039984-c5729a
Powered by Listbox: http://www.listbox.com
Re: "Last Call" pending exp= (empty) erratum [ In reply to ]
Julian Mehnle wrote:

>> Likely there are more plausible examples how <target-name> could
>> end up "empty" or otherwise unusable.
>> [...]

> OK, but then it's not our problem how implementations deal with it.
> Unspecified input -> unspecified output.

Actually the output for an unusable exp= <target-name> IS specified,
implementations are supposed to ignore a bad explanation, and report
FAIL as if there's no exP= at all.

> I vote for option 2.

Fine, then we'll make it so, 2 and 3 are equivalent. I'll change
the errata page in the next days, leaving only your solution, maybe
combining the rationale for 2+3 if necessary. After that I'll set
a timeout for objections, and if nothing happens in a week or so I
move this erratum to resolved.

The 2821bis Last Call just started, that allows us to tackle the
last open issues based on the current draft. John just looked into
it _again_ wrt "no-dot addresses", I guess we have the final word
about it, therefore we can finish our pending "no-dot" business.

Frank

-------------------------------------------
-----------------------------------------------------------------------
To unsubscribe, change your address, or temporarily deactivate your
subscription,
please go to http://v2.listbox.com/member/?member_id=1311533&id_secret=69080438-e51c86
Powered by Listbox: http://www.listbox.com
Re: Re: "Last Call" pending exp= (empty) erratum [ In reply to ]
On Tue, 27 Nov 2007, Frank Ellermann wrote:

> Fine, then we'll make it so, 2 and 3 are equivalent. I'll change
> the errata page in the next days, leaving only your solution, maybe
> combining the rationale for 2+3 if necessary. After that I'll set
> a timeout for objections, and if nothing happens in a week or so I
> move this erratum to resolved.

I'll add test cases for how I understand the proposed solution.

My understanding is that 'exp=' results in PermError, whereas errors resulting
from macro expansion, DNS or faulty exp string result in exp= being ignored.

--
Stuart D. Gathman <stuart@bmsi.com>
Business Management Systems Inc. Phone: 703 591-0911 Fax: 703 591-6154
"Confutatis maledictis, flammis acribus addictis" - background song for
a Microsoft sponsored "Where do you want to go from here?" commercial.

-------------------------------------------
-----------------------------------------------------------------------
To unsubscribe, change your address, or temporarily deactivate your
subscription,
please go to http://v2.listbox.com/member/?member_id=1311533&id_secret=69130150-5bbb0d
Powered by Listbox: http://www.listbox.com
Re: "Last Call" pending exp= (empty) erratum [ In reply to ]
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Stuart D. Gathman wrote:
> I'll add test cases for how I understand the proposed solution.

Thank you!

> My understanding is that 'exp=' results in PermError, whereas errors
> resulting from macro expansion, DNS or faulty exp string result in exp=
> being ignored.

That's my understanding, too.

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)

iD8DBQFHTHNXwL7PKlBZWjsRAnNIAKCt8OLCuGSZhXgdC/dscuZvszBxWQCdGSB7
EnfJ68ml6cVImt5MVrCKTiw=
=JyiT
-----END PGP SIGNATURE-----

-------------------------------------------
-----------------------------------------------------------------------
To unsubscribe, change your address, or temporarily deactivate your
subscription,
please go to http://v2.listbox.com/member/?member_id=1311533&id_secret=69145240-d0ee27
Powered by Listbox: http://www.listbox.com
Re: Re: "Last Call" pending exp= (empty) erratum [ In reply to ]
Stuart D. Gathman wrote:

> I'll add test cases for how I understand the proposed solution.

Great, I still had you on the list of "wants option 3 if 1
doesn't fly", without you and me option 3 is now also dead.

Frank


-------------------------------------------
-----------------------------------------------------------------------
To unsubscribe, change your address, or temporarily deactivate your
subscription,
please go to http://v2.listbox.com/member/?member_id=1311533&id_secret=69410872-eb9780
Powered by Listbox: http://www.listbox.com
Re: Re: Re: "Last Call" pending exp= (empty) erratum [ In reply to ]
On Wed, 28 Nov 2007, Frank Ellermann wrote:

> > I'll add test cases for how I understand the proposed solution.
>
> Great, I still had you on the list of "wants option 3 if 1
> doesn't fly", without you and me option 3 is now also dead.

Revision 92 of test-suite commited. Added/changed tests:

exp-empty-domain requires permerror
exp-no-txt must ignore if no TXT records
exp-dns-error must ignore if DNS error

--
Stuart D. Gathman <stuart@bmsi.com>
Business Management Systems Inc. Phone: 703 591-0911 Fax: 703 591-6154
"Confutatis maledictis, flammis acribus addictis" - background song for
a Microsoft sponsored "Where do you want to go from here?" commercial.

-------------------------------------------
-----------------------------------------------------------------------
To unsubscribe, change your address, or temporarily deactivate your
subscription,
please go to http://v2.listbox.com/member/?member_id=1311533&id_secret=69680010-25e878
Powered by Listbox: http://www.listbox.com