Advanced
Mailing List Archive

Mailing List Archive

  1. Home >
  2. SPF>
  3. Devel
Erroneous 'does not exist' for mail from a domain literal
jam at athene
Apr 9, 2004, 9:11 AM
Post #1 of 5 (1925 views)
Permalink
The following was obtained from a SMTP listener using
postfix-policyd-spf version 1.04 (dated Wed Dec 10 03:52:04 EST 2003)
by mengwong@pobox.com. The Mail::SPF::Query used is from the Debian
package libmail-spf-query-perl (1.996-1).

Host names and IP numbers are changed and long lines are folded.

,----
$ nc example.com 25
220 example.com ESMTP Service Ready
ehlo another-example.com
250-example.com
250-PIPELINING
250-SIZE 10240000
250-ETRN
250 8BITMIME
mail from:<jam@[11.22.33.44]>
250 Ok
rcpt to:<jam@example.com>
554 <jam@example.com>: Recipient address rejected: Please see
http://spf.pobox.com/why.html?sender=jam%40%5B11.22.33.44%5D&ip=11.22.33.44&receiver=athene:
domain of sender jam@[11.22.33.44] does not exist
quit
221 Bye
`----

,----[ dig +short -x 11.22.33.44;dig +short another-example.com. txt ]
another-example.com.
"v=spf1 ip4:11.22.33.44 -all"
`----

jam

-------
To unsubscribe, change your address, or temporarily deactivate your subscription,
please go to http://v2.listbox.com/member/?listname=spf-devel@v2.listbox.com
Re: Erroneous 'does not exist' for mail from a domain literal [ In reply to ]
mengwong at dumbo
Apr 9, 2004, 9:19 AM
Post #2 of 5 (1871 views)
Permalink
On Fri, Apr 09, 2004 at 12:11:19PM -0400, John A. Martin wrote:
| The following was obtained from a SMTP listener using
| postfix-policyd-spf version 1.04 (dated Wed Dec 10 03:52:04 EST 2003)
| by mengwong@pobox.com. The Mail::SPF::Query used is from the Debian
| package libmail-spf-query-perl (1.996-1).

Thanks for the report. Mail::SPF::Query 1.997 will now die() if given
an address literal in the sender address, and postfix-policyd-spf 1.05
will trap that die() and return a DUNNO. Is that behaviour acceptable?

-------
To unsubscribe, change your address, or temporarily deactivate your subscription,
please go to http://v2.listbox.com/member/?listname=spf-devel@v2.listbox.com
Re: Erroneous 'does not exist' for mail from a domain literal [ In reply to ]
jam at athene
Apr 9, 2004, 9:58 AM
Post #3 of 5 (1907 views)
Permalink
>>>>> "Meng" == Meng Weng Wong
>>>>> "Re: Erroneous 'does not exist' for mail from a domain literal"
>>>>> Fri, 9 Apr 2004 12:19:28 -0400

Meng> Thanks for the report. Mail::SPF::Query 1.997 will now
Meng> die() if given an address literal in the sender address, and
Meng> postfix-policyd-spf 1.05 will trap that die() and return a
Meng> DUNNO. Is that behaviour acceptable?

Better than the present 'does not exist'.

Hmm... address literals are perfectly legitimate. I suppose you have
considered the obvious alternative,

Get PTRs for address literal

None found fail/REJECT (too harsh?)

Get TXT for domain(s) pointed to by the PTRs

Any permit the address literal: pass/DUNNO

Else treat according to the most restrictive TXT

and decided it is too intricate. But should address literals get a
free ride?

BTW is there any SRS available yet for postfix?

jam

-------
To unsubscribe, change your address, or temporarily deactivate your subscription,
please go to http://v2.listbox.com/member/?listname=spf-devel@v2.listbox.com
Re: Re: Erroneous 'does not exist' for mail from a domain literal [ In reply to ]
mengwong at dumbo
Apr 9, 2004, 10:14 AM
Post #4 of 5 (1897 views)
Permalink
On Fri, Apr 09, 2004 at 12:58:36PM -0400, John A. Martin wrote:
| But should address literals get a free ride?

If you want to block 'em, I suggest putting

smtpd_sender_restrictions = permit_mynetworks,
reject_non_fqdn_sender,
reject_unknown_sender_domain,
...

ahead of the SPF plugin. This is consistent with section 8.4 of the SPF
spec.

| BTW is there any SRS available yet for postfix?

We've been running an old version of Mail::SRS in production but that's
tied in to our somewhat complex internal hackery. I believe libsrs has
some Postfix patches ... James?

We should have something integrated with the mailer soon.

-------
To unsubscribe, change your address, or temporarily deactivate your subscription,
please go to http://v2.listbox.com/member/?listname=spf-devel@v2.listbox.com
Re: Erroneous 'does not exist' for mail from a domain literal [ In reply to ]
jam at athene
Apr 9, 2004, 10:34 AM
Post #5 of 5 (1904 views)
Permalink
>>>>> "Meng" == Meng Weng Wong
>>>>> "Re: Re: Erroneous 'does not exist' for mail from a domain literal"
>>>>> Fri, 9 Apr 2004 13:14:58 -0400

Meng> On Fri, Apr 09, 2004 at 12:58:36PM -0400, John A. Martin
Meng> wrote: | But should address literals get a free ride?

Meng> If you want to block 'em, I suggest putting

Meng> smtpd_sender_restrictions = permit_mynetworks,
Meng> reject_non_fqdn_sender,
Meng> reject_unknown_sender_domain,
Meng> ...

Of course. But my point was that if the literal points to a spf TXT
that should be used. My pseudo code needed rethinking thus

Get PTRs for address literal

None found none/DUNNO

Get TXT for domain(s) pointed to by the PTRs

Any permit the address literal: pass/DUNNO

Else treat according to the most restrictive TXT (or unknown if
there is none)

Principle of least surprise. :)

I can accept that "according to the most restrictive" may be too
intricate to explain much less implement. Maybe 'Else none/DUNNO'?

jam

-------
To unsubscribe, change your address, or temporarily deactivate your subscription,
please go to http://v2.listbox.com/member/?listname=spf-devel@v2.listbox.com

©2024 GT.net. A Gossamer Threads company.
5th Floor, 455 Granville St., Vancouver, BC V6C 1T1, Canada | Legal