Advanced
Mailing List Archive

Mailing List Archive

  1. Home >
  2. SPF>
  3. Discuss
Forwarder whitelisting counter-proposal: SPF "i-am=" modifier
julian at mehnle
Jan 8, 2008, 6:51 PM
Post #1 of 22 (9684 views)
Permalink
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Michael Deutschmann wrote:
> I'd like to put my TENBOX/E proposal back on the table, with a few
> changes.
>
> First, I'm changing the "marketing" to be more a whitelisting
> enhancement with many uses, instead of just a solution to the
> forwarding problem.
>
> [... revamped TENBOX/E proposal ...]

This seems like a clever idea, however I seriously doubt forwarders would
be willing to implement an SMTP/AUTH extension.

Don't get me wrong, I really appreciate your effort. This is a tough nut
to crack. However, as long as a proposed solution takes even just nearly
as much work to implement as sender rewriting it's just as dead-on-
arrival. :-(

However, here's another idea how forwarders could identify themselves.
Suppose a new SPF modifier named "i-am=" that works exactly like
"redirect=", with one addition: the modifier's argument, for example
"forwarder.org", can be considered an additional authenticated identity by
the receiver if SPF evaluation passes for that domain. The receiver can
then use that additional identity to whitelist the sender.

For example, a forwarder says: HELO mta02.forwarder.org

The receiver checks "mta02.forwarder.org" for an SPF record, which yields

"v=spf1 i-am=forwarder.org redirect=forwarder.org"

The receiver finds "i-am=" and ignores "redirect=" (which is there just in
case the receiver doesn't implement the "i-am=" modifier).
They then check "forwarder.org" for an SPF record, which yields

"v=spf1 a:mta01.forwarder.org a:mta02.forwarder.org -all"

The forwarder's IP address matches the SPF record, so the HELO SPF check
passes and the receiver also has authenticated "forwarder.org" as an
additional sender identity (also with a HELO scope), which they can
compare against their HELO whitelist.

Works for mailing lists as well. More importantly, it doesn't require
forwarders to implement any new SMTP magic. All they have to do is
publish some new SPF records in DNS.

(I could have named the modifier "cname=" instead. That would have been a
nice analogy but would have confused the hell out of DNS experts.
And, before anyone wonders: yes, the redirection behavior of "i-am=" is
essential because the authority over whether the specified identity is
legitimate for the sender's IP address MUST be delegated to the owner of
the identity, i.e. the admin of the identity's DNS zone. The common SPF
principle.)

Anyway, perhaps I'm just in a destructive mode today, so please consider
this posting of mine a counter-proposal rather than a dismissal of yours.


Now on to the odds'n'ends:

> I'm now thinking my Sham-SRS idea is the better approach to the
> forwarding problem *as caused by SPF*, however forwarder whitelisting
> is still a necessary idea. Sham-SRS protects the forwarder from SPF
> and post-transaction bounces, but not in-transaction rejections.

Why do forwarders need to be protected from in-transaction rejections?

> 2. DSNs in a goldlisting universe:
>
> One possible endgame in the spam wars is universal goldlisting,
> combined with SPF. Goldlisting is the practice of configuring one's
> mail system to reject all mail by default, only relenting when the MAIL
> FROM: address is on a whitelist.

(This was once called AGUPI (assumed guilty until proven innocent) by Meng
Weng "SPF" Wong.)

> In such a universe, bounce messages will never work, as to prevent mail
> loops, they always have a MAIL FROM of <>. SPF cannot defend this
> address, so spammers would resort to it if goldlisters allowed it.
>
> TENBOX/E comes to the rescue here, by allowing the bounce to be marked
> with the address that failed:
>
> So if Ralph's mailbox is full, a bounce to this message:
> MAIL FROM: <sarah@example.com>
> RCPT TO: <ralph@example.net>
>
> comes as:
> MAIL FROM: <> AUTH=ralph@example.net
> RCPT TO: <sarah@example.com>
>
> and reaches her even if she is using goldlisting.

I understand that this use case is served nicely by your revamped TENBOX/E
proposal, but I don't think _we_ need to care about this use case and it
barely justifies the implementation effort required by your proposal,
especially as it can be solved by something as simple as:

MAIL FROM:<ralph@example.net:bounce> (or <ralph@example.net.bounce>)
RCPT TO:<sarah@example.com>

> 4. Mitigation of ordinary-user VERPing (eg: SES, BATV):
>
> Some users seek to use a form of VERP to protect themselves from
> backscatter, accepting only direct mail to their principal address, and
> directing the bounces to constantly-changing addresses.
>
> Unless the receiving MTA has ad-hoc knowledge of how to derive the
> principal address from the VERPed address, whitelisting and greylisting
> are broken, or at least degraded to operating on entire domains instead
> of mailboxes.
>
> TENBOX/E allows whitelisting and VERP to coexist, since the SWK can
> always be the principal address. An exchange of messages might go:
>
> MAIL FROM: <sarah+32823667@example.com> AUTH=sarah@example.com
> RCPT TO: <ralph@example.org>

Of course this only helps if the receiver has implemented TENBOX/E. Do
you expect everyone who has implemented greylisting to also implement
that?

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)

iD8DBQFHhDbNwL7PKlBZWjsRAixsAJ9SUWDzXYoQ/jjB1PqYKVen21hlZgCeIqy2
4j5l4n490VUZtqbBzPrKuBg=
=QXXm
-----END PGP SIGNATURE-----

-------------------------------------------
Sender Policy Framework: http://www.openspf.org
Archives: http://v2.listbox.com/member/archive/735/=now
RSS Feed: http://v2.listbox.com/member/archive/rss/735/
Modify Your Subscription: http://v2.listbox.com/member/?member_id=1311532&id_secret=83480793-5fd58a
Powered by Listbox: http://www.listbox.com
Re: Forwarder whitelisting counter-proposal: SPF "i-am=" modifier [ In reply to ]
scott at kitterman
Jan 8, 2008, 7:28 PM
Post #2 of 22 (9541 views)
Permalink
On Wed, 9 Jan 2008 02:51:54 +0000 Julian Mehnle <julian@mehnle.net> wrote:
>-----BEGIN PGP SIGNED MESSAGE-----
>Hash: SHA1
>
>Michael Deutschmann wrote:
>> I'd like to put my TENBOX/E proposal back on the table, with a few
>> changes.
>>
>> First, I'm changing the "marketing" to be more a whitelisting
>> enhancement with many uses, instead of just a solution to the
>> forwarding problem.
>>
>> [... revamped TENBOX/E proposal ...]
>
>This seems like a clever idea, however I seriously doubt forwarders would
>be willing to implement an SMTP/AUTH extension.
>
>Don't get me wrong, I really appreciate your effort. This is a tough nut
>to crack. However, as long as a proposed solution takes even just nearly
>as much work to implement as sender rewriting it's just as dead-on-
>arrival. :-(
>
>However, here's another idea how forwarders could identify themselves.
>Suppose a new SPF modifier named "i-am=" that works exactly like
>"redirect=", with one addition: the modifier's argument, for example
>"forwarder.org", can be considered an additional authenticated identity by
>the receiver if SPF evaluation passes for that domain. The receiver can
>then use that additional identity to whitelist the sender.
>
>For example, a forwarder says: HELO mta02.forwarder.org
>
>The receiver checks "mta02.forwarder.org" for an SPF record, which yields
>
> "v=spf1 i-am=forwarder.org redirect=forwarder.org"
>
>The receiver finds "i-am=" and ignores "redirect=" (which is there just in
>case the receiver doesn't implement the "i-am=" modifier).
>They then check "forwarder.org" for an SPF record, which yields
>
> "v=spf1 a:mta01.forwarder.org a:mta02.forwarder.org -all"
>
>The forwarder's IP address matches the SPF record, so the HELO SPF check
>passes and the receiver also has authenticated "forwarder.org" as an
>additional sender identity (also with a HELO scope), which they can
>compare against their HELO whitelist.
>
>Works for mailing lists as well. More importantly, it doesn't require
>forwarders to implement any new SMTP magic. All they have to do is
>publish some new SPF records in DNS.
>
>(I could have named the modifier "cname=" instead. That would have been a
>nice analogy but would have confused the hell out of DNS experts.
>And, before anyone wonders: yes, the redirection behavior of "i-am=" is
>essential because the authority over whether the specified identity is
>legitimate for the sender's IP address MUST be delegated to the owner of
>the identity, i.e. the admin of the identity's DNS zone. The common SPF
>principle.)
>
>Anyway, perhaps I'm just in a destructive mode today, so please consider
>this posting of mine a counter-proposal rather than a dismissal of yours.
>
Don't both these proposals amount to "forwarders" saying "trust me I'm a
forwarder - you can just skip rejecting SPF Fail mail from me"? Wouldn't
anyone trying to forge mail and "beat" SPF claim to be a forwarder?

The only entity that can reliably identify a forwarder is the receiver that
establishes the forwarding relationship.

Scott K

-------------------------------------------
Sender Policy Framework: http://www.openspf.org
Archives: http://v2.listbox.com/member/archive/735/=now
RSS Feed: http://v2.listbox.com/member/archive/rss/735/
Modify Your Subscription: http://v2.listbox.com/member/?member_id=1311532&id_secret=83495765-65cb29
Powered by Listbox: http://www.listbox.com
Re: Forwarder whitelisting counter-proposal: SPF "i-am=" modifier [ In reply to ]
julian at mehnle
Jan 8, 2008, 7:40 PM
Post #3 of 22 (9517 views)
Permalink
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Scott Kitterman wrote:
> Don't both these proposals amount to "forwarders" saying "trust me I'm
> a forwarder - you can just skip rejecting SPF Fail mail from me"?

No, you got both Michael and me wrong. Each of our proposals is merely
trying to establish a solid identity that receivers can actually PUT on
their forwarder whitelist. Of course receivers still have to explicitly
do that themselves.

With "i-am=", I can put "HELO=forwarder.org" on my whitelist, even if the
forwarder doesn't use that identity directly in their HELOs. Currently I
cannot do that, but I'd rather have to list all their individual HELOs
(which are bound to change over time).

"i-am=" is merely an out-of-band reformulation of Michael's in-band (SMTP
extension) idea for transmitting an additional identity.

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)

iD8DBQFHhEIiwL7PKlBZWjsRAnHKAKCvhlWRdYBNr5O3Tk70iYkm+lW1wACghjPd
iyf1+B+84xlPj8hR3UIrwNo=
=9jT0
-----END PGP SIGNATURE-----

-------------------------------------------
Sender Policy Framework: http://www.openspf.org
Archives: http://v2.listbox.com/member/archive/735/=now
RSS Feed: http://v2.listbox.com/member/archive/rss/735/
Modify Your Subscription: http://v2.listbox.com/member/?member_id=1311532&id_secret=83498289-58f229
Powered by Listbox: http://www.listbox.com
Re: Re: Forwarder whitelisting counter-proposal: SPF "i-am=" modifier [ In reply to ]
scott at kitterman
Jan 8, 2008, 8:19 PM
Post #4 of 22 (9535 views)
Permalink
On Tuesday 08 January 2008 22:40, Julian Mehnle wrote:
> Scott Kitterman wrote:
> > Don't both these proposals amount to "forwarders" saying "trust me I'm
> > a forwarder - you can just skip rejecting SPF Fail mail from me"?
>
> No, you got both Michael and me wrong. Each of our proposals is merely
> trying to establish a solid identity that receivers can actually PUT on
> their forwarder whitelist. Of course receivers still have to explicitly
> do that themselves.
>
> With "i-am=", I can put "HELO=forwarder.org" on my whitelist, even if the
> forwarder doesn't use that identity directly in their HELOs. Currently I
> cannot do that, but I'd rather have to list all their individual HELOs
> (which are bound to change over time).
>
> "i-am=" is merely an out-of-band reformulation of Michael's in-band (SMTP
> extension) idea for transmitting an additional identity.
>
OK. Fair enough. That could be useful, although I'm not sure anything other
than a regular SPF record is needed.

Scott K

-------------------------------------------
Sender Policy Framework: http://www.openspf.org
Archives: http://v2.listbox.com/member/archive/735/=now
RSS Feed: http://v2.listbox.com/member/archive/rss/735/
Modify Your Subscription: http://v2.listbox.com/member/?member_id=1311532&id_secret=83510163-3db017
Powered by Listbox: http://www.listbox.com
RE: Forwarder whitelisting counter-proposal: SPF "i-am=" modifier [ In reply to ]
admin at asarian-host
Jan 8, 2008, 10:31 PM
Post #5 of 22 (9539 views)
Permalink
-----Original Message-----
From: Julian Mehnle [mailto:julian@mehnle.net]
Sent: woensdag 9 januari 2008 3:54
To: spf-discuss@v2.listbox.com
Subject: [spf-discuss] Forwarder whitelisting counter-proposal: SPF "i-am=" modifier

> > Scott Kitterman wrote:
>
> > Don't both these proposals amount to "forwarders" saying "trust me
> > I'm a forwarder - you can just skip rejecting SPF Fail mail from me"?

I was thinking the same thing.

> No, you got both Michael and me wrong. Each of our proposals is merely
> trying to establish a solid identity that receivers can actually PUT
> on their forwarder whitelist. Of course receivers still have to
> explicitly do that themselves.

Ok, I'm getting it now; and I'm liking this proposal much better than that
of Michael: anything that can be done by adding a simple DNS record is to
be preferred over implementing a new "mail-parameter" of the MAIL command,
as described in Section 3.3 (Mail Transactions) of RFC 2821.

Which brings up the old question again: why not use the already existing
ENVID (RFC 3461) for this purpose?

Of course, Scott remains right, insofar that "i-am=" is basically just a
fine-tuning to the trusted-forwarder idea. But a good idea. :)

- Mark

-------------------------------------------
Sender Policy Framework: http://www.openspf.org
Archives: http://v2.listbox.com/member/archive/735/=now
RSS Feed: http://v2.listbox.com/member/archive/rss/735/
Modify Your Subscription: http://v2.listbox.com/member/?member_id=1311532&id_secret=83531182-8a9cee
Powered by Listbox: http://www.listbox.com
Re: Forwarder whitelisting counter-proposal: SPF "i-am=" modifier [ In reply to ]
michael at talamasca
Jan 9, 2008, 12:26 AM
Post #6 of 22 (9539 views)
Permalink
On Wed, 9 Jan 2008, Julian Mehnle wrote:
> However, here's another idea how forwarders could identify themselves.
> Suppose a new SPF modifier named "i-am=" that works exactly like
> "redirect=", with one addition: the modifier's argument, for example
> "forwarder.org", can be considered an additional authenticated identity by
> the receiver if SPF evaluation passes for that domain. The receiver can
> then use that additional identity to whitelist the sender.

I don't think that's a good use of 60-odd bytes of SPF record space.

Also, it fails in one common situation. Suppose two forwarding
organizations (or mailing list hosters) use the I-AM= proposal. Then, they
merge, desiring to keep both of their original domains in operation. They'd
like to use one mailserver to serve both domains without making their users
re-configure. Then which domain gets the "I-AM=" reference?

TENBOX/E easily handles this case, since the MTA can use an appropriate SWK
for each message.

I-AM doesn't handle the AGUPI or VERP-mitigation cases well. It can only
give a coarse-grained solution that will break whenever a mailserver serves
multiple domains.

> Why do forwarders need to be protected from in-transaction rejections?

Because the forwarder fears being blacklisted as a backscatter emitter, if
an email arrives with neither SPF-pass nor SPF-fail, and cannot be delivered
forward.

(TENBOX/E will exploit this fear to get faster deployment on the forwarder
end. SRS ignores this fear, and in fact charges into it's eye, since it makes
post-transaction bounces just as bad as in-transaction rejects.)

To protect themselves, a forwarder can make a policy of freezing (not
bouncing or blackholing) the message in question, and then also freezing the
forwarding relationship until the ultimate recipient fixes his system to
never reject forwarded mail. Without TENBOX/E, the recipient can always cry
"That's no fair. How was my MTA to know that message was a forward?"
TENBOX/E gives a way.

> [...] but I don't think _we_ need to care about [AGUPI] use case and it
> barely justifies the implementation effort required by your proposal,
> especially as it can be solved by something as simple as:
>
> MAIL FROM:<ralph@example.net:bounce> (or <ralph@example.net.bounce>)
> RCPT TO:<sarah@example.com>

That still requires some kind of extension signalling, otherwise your
bounces will be rejected by legacy mailservers that detect you as forging a
domain that doesn't even exist -- or is a syntax error.

Also, accomodating AGUPI should be very important to SPF, since for many
people it is SPF's killer app.

> > MAIL FROM: <sarah+32823667@example.com> AUTH=sarah@example.com
> > RCPT TO: <ralph@example.org>
>
> Of course this only helps if the receiver has implemented TENBOX/E. Do
> you expect everyone who has implemented greylisting to also implement
> that?

If SES or BATV takes off, they'll have to downgrade their greylisting to
only work on a domain basis, or put up with false-positive delays all of the
time. For some time also, SES/BATV users will have to put up with the same
delays, from users who don't mind them enough to give up mailbox-granular
greylisting.

TENBOX/E, when implemented by both sides, allows both to get timely
deliveries without giving anything up.

---- Michael Deutschmann <michael@talamasca.ocis.net>

-------------------------------------------
Sender Policy Framework: http://www.openspf.org
Archives: http://v2.listbox.com/member/archive/735/=now
RSS Feed: http://v2.listbox.com/member/archive/rss/735/
Modify Your Subscription: http://v2.listbox.com/member/?member_id=1311532&id_secret=83559122-9065ee
Powered by Listbox: http://www.listbox.com
RE: Forwarder whitelisting counter-proposal: SPF "i-am=" modifier [ In reply to ]
michael at talamasca
Jan 9, 2008, 12:54 AM
Post #7 of 22 (9541 views)
Permalink
On Wed, 9 Jan 2008, you wrote:
> Which brings up the old question again: why not use the already existing
> ENVID (RFC 3461) for this purpose?

I don't see the connection. ENVID seems intended to be unique for each
message, and is intended to stay with a message all the way. The SWK only
appears on the sender-smarthost to recipient-MX hop, and is constant for a
given forwarding relationship.

Also, ENVID is permanently attached to the DSN ESMTP extension, which is
gigantic poison pill from which otherwise-sane MTA authors run screaming.
It's for the best if we pretend it doesn't exist.

---- Michael Deutschmann <michael@talamasca.ocis.net>

-------------------------------------------
Sender Policy Framework: http://www.openspf.org
Archives: http://v2.listbox.com/member/archive/735/=now
RSS Feed: http://v2.listbox.com/member/archive/rss/735/
Modify Your Subscription: http://v2.listbox.com/member/?member_id=1311532&id_secret=83565237-f65526
Powered by Listbox: http://www.listbox.com
Re: Re: Forwarder whitelisting counter-proposal: SPF "i-am=" modifier [ In reply to ]
stuart at bmsi
Jan 9, 2008, 2:58 AM
Post #8 of 22 (9528 views)
Permalink
On Wed, 9 Jan 2008, Julian Mehnle wrote:

> No, you got both Michael and me wrong. Each of our proposals is merely
> trying to establish a solid identity that receivers can actually PUT on
> their forwarder whitelist. Of course receivers still have to explicitly
> do that themselves.

Just whitelist the SPF domain of the forwarder. This is the domain they
*would* have used *if* they did SRS (even though they don't). If they don't
publish an SPF record, I make a local one with my guesses of their IPs (or
just don't use them as a forwarder). Of course, if they *do* use SRS,
then the problem of what to whitelist is solved.

Since you don't immediately know the forwarder domain of a non-SRS
forwarder, you have to search. A simple linear search is inefficient
when the list is large. So, a hint as to what the forwarder domain
might be would be easier than tricky programming to efficiently search
the forwarder list given an IP (convert each SPF record to a set
of IPs and search those). But if the forwarder is nice enough to do that,
why not just use SRS? Also, ENVID could contain the hint, as someone
suggested.

--
Stuart D. Gathman <stuart@bmsi.com>
Business Management Systems Inc. Phone: 703 591-0911 Fax: 703 591-6154
"Confutatis maledictis, flammis acribus addictis" - background song for
a Microsoft sponsored "Where do you want to go from here?" commercial.

-------------------------------------------
Sender Policy Framework: http://www.openspf.org
Archives: http://v2.listbox.com/member/archive/735/=now
RSS Feed: http://v2.listbox.com/member/archive/rss/735/
Modify Your Subscription: http://v2.listbox.com/member/?member_id=1311532&id_secret=83596423-58fb67
Powered by Listbox: http://www.listbox.com
RE: Forwarder whitelisting counter-proposal: SPF "i-am=" modifier [ In reply to ]
admin at asarian-host
Jan 9, 2008, 3:18 AM
Post #9 of 22 (9526 views)
Permalink
-----Original Message-----
From: Michael Deutschmann [mailto:michael@talamasca.ocis.net]
Sent: woensdag 9 januari 2008 9:56
To: spf-discuss@v2.listbox.com
Subject: RE: [spf-discuss] Forwarder whitelisting counter-proposal: SPF
"i-am=" modifier

> > Which brings up the old question again: why not use the already
> > existing ENVID (RFC 3461) for this purpose?

> I don't see the connection. ENVID seems intended to be unique for each
> message, and is intended to stay with a message all the way. The SWK
> only appears on the sender-smarthost to recipient-MX hop, and is
> constant for a given forwarding relationship.

I know what ENVID was intended for. :) RFC 1891, section 5.4, reads:

The ENVID esmtp-keyword MUST have an associated esmtp-value. No
meaning is assigned by the mail system to the presence or absence of
this parameter or to any esmtp-value associated with this parameter;
the information is used only by the sender or his user agent.

Since "No meaning is assigned by the mail system to the presence or
absence of this parameter," it really doesn't interfere with anything,
either. So I don't quite get where your "gigantic poison pill" is coming
from.

At any rate, I'm just saying the idea is to use ENVID is not new. Nor, for
that matter an "AUTH" extension to the MAIL command, such as the
responsible submitter extension, using SUBMITTER, instead of AUTH as
extension to the MAIL command.(1) Most of these proposals never seem to
have made it; I reckon all for more or less the same reason: it requires
an official extension to SMTP (whereas SRS can simply be implemented
without first traversing a lengthy IETF track).

Point is largely moot, of course, as I'm neither a propent of using ENVID,
nor AUTH, and simply believe publishing an extra SPF record will do the
trick much easier.

- Mark


(1) See, for instance,

http://www.watersprings.org/pub/id/draft-leibzon-emailredirection-traceheade
rs-00.txt

-------------------------------------------
Sender Policy Framework: http://www.openspf.org
Archives: http://v2.listbox.com/member/archive/735/=now
RSS Feed: http://v2.listbox.com/member/archive/rss/735/
Modify Your Subscription: http://v2.listbox.com/member/?member_id=1311532&id_secret=83598728-18f1b0
Powered by Listbox: http://www.listbox.com
Re: Forwarder whitelisting counter-proposal: SPF "i-am=" modifier [ In reply to ]
nobody at xyzzy
Jan 9, 2008, 3:35 AM
Post #10 of 22 (9528 views)
Permalink
Scott Kitterman wrote:

> Don't both these proposals amount to "forwarders" saying
> "trust me I'm a forwarder - you can just skip rejecting
> SPF Fail mail from me"? Wouldn't anyone trying to forge
> mail and "beat" SPF claim to be a forwarder?

> The only entity that can reliably identify a forwarder is
> the receiver that establishes the forwarding relationship.

+1 wrt Julian's proposal (I didn't check the revised TENBOX).

We discussed op=meng (renamed to op=trust) back in 2005, and
I dropped it as useless later: Of course "final receivers"
can whitelist "traditional forwarders" based on a HELO PASS
if the forwarder offers it. But they don't need a modifier
or option for this piece of "receiver policy" magic. Plain
RFC 4408 SPF will do for this purpose.

Frank

-------------------------------------------
Sender Policy Framework: http://www.openspf.org
Archives: http://v2.listbox.com/member/archive/735/=now
RSS Feed: http://v2.listbox.com/member/archive/rss/735/
Modify Your Subscription: http://v2.listbox.com/member/?member_id=1311532&id_secret=83615233-2e8fd8
Powered by Listbox: http://www.listbox.com
RE: Re: Forwarder whitelisting counter-proposal: SPF "i-am=" modifier [ In reply to ]
admin at asarian-host
Jan 9, 2008, 3:46 AM
Post #11 of 22 (9525 views)
Permalink
-----Original Message-----
From: Stuart D. Gathman [mailto:stuart@bmsi.com]
Sent: woensdag 9 januari 2008 12:00
To: spf-discuss@v2.listbox.com
Subject: Re: [spf-discuss] Re: Forwarder whitelisting counter-proposal: SPF
"i-am=" modifier

> Since you don't immediately know the forwarder domain of a non-SRS
> forwarder, you have to search. A simple linear search is inefficient
> when the list is large. So, a hint as to what the forwarder domain
> might be would be easier than tricky programming to efficiently search
> the forwarder list given an IP (convert each SPF record to a set of IPs
> and search those). But if the forwarder is nice enough to do that, why
> not just use SRS? Also, ENVID could contain the hint, as someone
> suggested.

I still think SRS is the way to go.

As for ENVID containing the hint, I don't see why not (as I suggested
earlier). At least I would prefer using it over a new AUTH parameter.
There's no RFC mandating ENVID contain any specific content (other than
that it be limited to 100 chars, I believe).

- Mark

-------------------------------------------
Sender Policy Framework: http://www.openspf.org
Archives: http://v2.listbox.com/member/archive/735/=now
RSS Feed: http://v2.listbox.com/member/archive/rss/735/
Modify Your Subscription: http://v2.listbox.com/member/?member_id=1311532&id_secret=83613784-27a76d
Powered by Listbox: http://www.listbox.com
Re: Forwarder whitelisting counter-proposal: SPF "i-am=" modifier [ In reply to ]
nobody at xyzzy
Jan 9, 2008, 3:50 AM
Post #12 of 22 (9535 views)
Permalink
Julian Mehnle wrote:

> No, you got both Michael and me wrong. Each of our proposals is
> merely trying to establish a solid identity that receivers can
> actually PUT on their forwarder whitelist. Of course receivers
> still have to explicitly do that themselves.

> With "i-am=", I can put "HELO=forwarder.org" on my whitelist,
> even if the forwarder doesn't use that identity directly in their
> HELOs.

Right, I got that wrong. IMO forwarders going to the trouble to
publish sender policies for their various MTAs (HELOs) could as
well arrange a simple MTA naming scheme as subdomains of their
forwarder.org. That could be "obvious" enough for receivers
trying to whitelist forwarders "by name", but not interested in
all particular MTA names. It would allow a wildcard policy at
forwarder.org covering any.mta.forwarder.org.

If the names must be in different domains receivers can trigger
their white list on the unique redirect=forwarder.org in these
policies. Admittedly i-am= is clearer, more flexible, and still
simple (it took me only three mails to get it :-)

Frank

-------------------------------------------
Sender Policy Framework: http://www.openspf.org
Archives: http://v2.listbox.com/member/archive/735/=now
RSS Feed: http://v2.listbox.com/member/archive/rss/735/
Modify Your Subscription: http://v2.listbox.com/member/?member_id=1311532&id_secret=83618920-69c546
Powered by Listbox: http://www.listbox.com
RE: Forwarder whitelisting counter-proposal: SPF "i-am=" modifier [ In reply to ]
michael at talamasca
Jan 9, 2008, 3:54 AM
Post #13 of 22 (9533 views)
Permalink
On Wed, 9 Jan 2008, Mark wrote:
> Since "No meaning is assigned by the mail system to the presence or
> absence of this parameter," it really doesn't interfere with anything,
> either. So I don't quite get where your "gigantic poison pill" is coming
> from.

The poison pill is DSN itself. To see the ENVID, an MTA must advertise the
DSN ESMTP option. Advertising DSN commits the mailserver to accept messages
with the NOTIFY flag, and give those messages onerous special treatment.

Also, ENVID is supposed to be constant over the life of a message, while
SWK can change. Consider my "All Together Now" example in the original
message, where the SWK is:
* First, a poster's principal e-mail address, added so that the
mailing list can recognize her as a subscriber, even though she has a
VERP bounce address.
* Second, the list's submission address, so that recipients can recognize
the list despite its VERP.
* Third, the input address of a forward, so that the ultimate recipient
can recognize the forwarding relationship even though the MAIL FROM
varies due to SRS.

> At any rate, I'm just saying the idea is to use ENVID is not new. Nor, for
> that matter an "AUTH" extension to the MAIL command, such as the
> responsible submitter extension, using SUBMITTER, instead of AUTH as
> extension to the MAIL command.(1) Most of these proposals never seem to
> have made it; I reckon all for more or less the same reason: it requires
> an official extension to SMTP (whereas SRS can simply be implemented
> without first traversing a lengthy IETF track).

SUBMITTER is dead because it is required to keep it in lockstep with the
RFC822 headers, and the procedure for mapping from RFC822 headers to the
correct PRA is patented. Also, unless a mailing list does specific header
mangling, messages it explodes will often carry a PRA that is not valid for
the list MTA's IP under SenderID's loopy interpretation of v=spf1 records.

TENBOX/E defines no connection between the message content (including
headers) and the SWK. Unlike PRA, it is safe to reinterpret v=spf1 records
to validate SWKs, since only an MTA that is looking for special treatment
will display an SWK, and only an MTA that was already SPF-pass for the SWK
domain can get such treatment.

---- Michael Deutschmann <michael@talamasca.ocis.net>

-------------------------------------------
Sender Policy Framework: http://www.openspf.org
Archives: http://v2.listbox.com/member/archive/735/=now
RSS Feed: http://v2.listbox.com/member/archive/rss/735/
Modify Your Subscription: http://v2.listbox.com/member/?member_id=1311532&id_secret=83617705-f18a13
Powered by Listbox: http://www.listbox.com
Re: Forwarder whitelisting counter-proposal: SPF "i-am=" modifier [ In reply to ]
nobody at xyzzy
Jan 9, 2008, 4:01 AM
Post #14 of 22 (9525 views)
Permalink
Mark wrote:

> Most of these proposals never seem to have made it

I'm positive that some MSAs support AUTH :-) And SUBMITTER
at least made it into RFC 4405, but I've no idea if anybody
uses it in practice. SUBMITTER is AFAIK a PRA accelerator
for PRA FAIL rejects before DATA. Receivers not interested
in rejecting PRA FAIL have no reason to use this extension.
Please correct me if that's wrong.

Frank

-------------------------------------------
Sender Policy Framework: http://www.openspf.org
Archives: http://v2.listbox.com/member/archive/735/=now
RSS Feed: http://v2.listbox.com/member/archive/rss/735/
Modify Your Subscription: http://v2.listbox.com/member/?member_id=1311532&id_secret=83623137-d62b15
Powered by Listbox: http://www.listbox.com
RE: Re: Forwarder whitelisting counter-proposal: SPF "i-am=" modifier [ In reply to ]
admin at asarian-host
Jan 9, 2008, 4:26 AM
Post #15 of 22 (9532 views)
Permalink
-----Original Message-----
From: Frank Ellermann [mailto:nobody@xyzzy.claranet.de]
Sent: woensdag 9 januari 2008 13:07
To: spf-discuss@v2.listbox.com
Subject: [spf-discuss] Re: Forwarder whitelisting counter-proposal: SPF
"i-am=" modifier

> > Mark wrote:
>
> > Most of these proposals never seem to have made it
>
> I'm positive that some MSAs support AUTH :-)

As parameter to the MAIL command?? We're not talking
the SMTP verb "AUTH" (RFC 2554) here.

- Mark

-------------------------------------------
Sender Policy Framework: http://www.openspf.org
Archives: http://v2.listbox.com/member/archive/735/=now
RSS Feed: http://v2.listbox.com/member/archive/rss/735/
Modify Your Subscription: http://v2.listbox.com/member/?member_id=1311532&id_secret=83626155-71e6cd
Powered by Listbox: http://www.listbox.com
RE: Re: Forwarder whitelisting counter-proposal: SPF "i-am=" modifier [ In reply to ]
admin at asarian-host
Jan 9, 2008, 4:31 AM
Post #16 of 22 (9520 views)
Permalink
-----Original Message-----
From: Frank Ellermann [mailto:nobody@xyzzy.claranet.de]
Sent: woensdag 9 januari 2008 13:07
To: spf-discuss@v2.listbox.com
Subject: [spf-discuss] Re: Forwarder whitelisting counter-proposal: SPF
"i-am=" modifier

> And SUBMITTER at least made it into RFC 4405, but I've no idea if
> anybody uses it in practice. SUBMITTER is AFAIK a PRA accelerator for
> PRA FAIL rejects before DATA. Receivers not interested in rejecting PRA
> FAIL have no reason to use this extension. Please correct me if that's
> wrong.

You're right: SUBMITTER actually did make it.

PRA, *shudder*. :)

- Mark

-------------------------------------------
Sender Policy Framework: http://www.openspf.org
Archives: http://v2.listbox.com/member/archive/735/=now
RSS Feed: http://v2.listbox.com/member/archive/rss/735/
Modify Your Subscription: http://v2.listbox.com/member/?member_id=1311532&id_secret=83635147-6546d2
Powered by Listbox: http://www.listbox.com
Re: Forwarder whitelisting counter-proposal: SPF "i-am=" modifier [ In reply to ]
julian at mehnle
Jan 9, 2008, 4:42 AM
Post #17 of 22 (9539 views)
Permalink
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Michael Deutschmann wrote:
> On Wed, 9 Jan 2008, Julian Mehnle wrote:
> > However, here's another idea how forwarders could identify
> > themselves. Suppose a new SPF modifier named "i-am=" that works
> > exactly like "redirect=", with one addition: the modifier's argument,
> > for example "forwarder.org", can be considered an additional
> > authenticated identity by the receiver if SPF evaluation passes for
> > that domain. The receiver can then use that additional identity to
> > whitelist the sender.
>
> I don't think that's a good use of 60-odd bytes of SPF record space.

Well, saying "v=spf1 redirect=..." is common already nowadays for HELO SPF
records.

> Also, it fails in one common situation. Suppose two forwarding
> organizations (or mailing list hosters) use the I-AM= proposal. Then,
> they merge, desiring to keep both of their original domains in
> operation. They'd like to use one mailserver to serve both domains
> without making their users re-configure. Then which domain gets the
> "I-AM=" reference?

You could simply have multiple "i-am=" modifiers in a single record, and
the receiver could look the "i-am=" domains up in their whitelist and
only try evaluating those that are whitelisted in the first place (saving
unnecessary time and bandwidth). If the "i-am=" SPF check passes for one
of the whitelisted domains, it's a trusted forwarder.

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)

iD8DBQFHhMEpwL7PKlBZWjsRAohCAJ0eNqNopt+wJsO/M2Fo4OoNWSVwrgCcC5eo
ZrdrQjy9ZBSIMFA7WzXxdYU=
=fdpn
-----END PGP SIGNATURE-----

-------------------------------------------
Sender Policy Framework: http://www.openspf.org
Archives: http://v2.listbox.com/member/archive/735/=now
RSS Feed: http://v2.listbox.com/member/archive/rss/735/
Modify Your Subscription: http://v2.listbox.com/member/?member_id=1311532&id_secret=83633972-bb1627
Powered by Listbox: http://www.listbox.com
Re: Forwarder whitelisting counter-proposal: SPF "i-am=" modifier [ In reply to ]
julian at mehnle
Jan 9, 2008, 4:58 AM
Post #18 of 22 (9522 views)
Permalink
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Michael Deutschmann wrote:
> On Wed, 9 Jan 2008, Julian Mehnle wrote:
> > [...] but I don't think _we_ need to care about [AGUPI] use case and
> > it barely justifies the implementation effort required by your
> > proposal, especially as it can be solved by something as simple as:
> >
> > MAIL FROM:<ralph@example.net:bounce> (or <ralph@example.net.bounce>)
> > RCPT TO:<sarah@example.com>
>
> That still requires some kind of extension signalling, otherwise your
> bounces will be rejected by legacy mailservers that detect you as
> forging a domain that doesn't even exist -- or is a syntax error.

Agreed that some kind of extension signalling would be required. However,
I am not really concerned about this use case. If AGUPI ever happens, it
will likely take another five years.

> Also, accomodating AGUPI should be very important to SPF, since for
> many people it is SPF's killer app.

I don't think AGUPI will ever rely primarily on SPF, since SPF's support
for localpart authentication is just too halfhearted.

> > > MAIL FROM: <sarah+32823667@example.com> AUTH=sarah@example.com
> > > RCPT TO: <ralph@example.org>
> >
> > Of course this only helps if the receiver has implemented TENBOX/E.
> > Do you expect everyone who has implemented greylisting to also
> > implement that?
>
> If SES or BATV takes off, they'll have to downgrade their greylisting
> to only work on a domain basis, or put up with false-positive delays
> all of the time.

True, however that may be a major reason for SES and BATV NOT taking
off. :-/

> TENBOX/E, when implemented by both sides, allows both to get timely
> deliveries without giving anything up.

Well, even though I don't think that the forwarder whitelisting problem
warrants something as involved as your TENBOX/E proposal, it may still be
a useful extension. Why don't you go ahead and write a more formal draft
(see [1] for tips on how to go about that)? You might also want to ask
the relevant IETF working groups for what they think (Frank is involved
in some of them and may be able to give pointers).

References:
1. http://www.openspf.org/RFC_Authoring

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)

iD8DBQFHhMT9wL7PKlBZWjsRAq9uAKDnVHGy+s+ObJfV4UMEjEHWcuYrMQCgpRqc
PaQnw4vCUF0biRt0V9KJ0y4=
=MVjp
-----END PGP SIGNATURE-----

-------------------------------------------
Sender Policy Framework: http://www.openspf.org
Archives: http://v2.listbox.com/member/archive/735/=now
RSS Feed: http://v2.listbox.com/member/archive/rss/735/
Modify Your Subscription: http://v2.listbox.com/member/?member_id=1311532&id_secret=83637900-3124fb
Powered by Listbox: http://www.listbox.com
Re: Forwarder whitelisting counter-proposal: SPF "i-am=" modifier [ In reply to ]
nobody at xyzzy
Jan 9, 2008, 5:51 AM
Post #19 of 22 (9534 views)
Permalink
Mark wrote:

> As parameter to the MAIL command?? We're not talking
> the SMTP verb "AUTH" (RFC 2554) here.

Right, I'm not sure about this, my CRAM-MD5 test (1)
did not cover it, I also never tried to use another
MAIL FROM with this account. They kept the concept
in RFC 4954 (successor of 2554), so I guess it's no
hopeless case.

Frank
--
1: http://www.ietf.org/IESG/Implementations/CRAM-MD5_implem.txt

-------------------------------------------
Sender Policy Framework: http://www.openspf.org
Archives: http://v2.listbox.com/member/archive/735/=now
RSS Feed: http://v2.listbox.com/member/archive/rss/735/
Modify Your Subscription: http://v2.listbox.com/member/?member_id=1311532&id_secret=83657111-4c601e
Powered by Listbox: http://www.listbox.com
RE: Re: Forwarder whitelisting counter-proposal: SPF "i-am=" modifier [ In reply to ]
michael at talamasca
Jan 9, 2008, 6:58 AM
Post #20 of 22 (9545 views)
Permalink
On Wed, 9 Jan 2008, Mark wrote:
> [ Frank Ellerman wrote: ]
> > I'm positive that some MSAs support AUTH :-)
>
> As parameter to the MAIL command?? We're not talking
> the SMTP verb "AUTH" (RFC 2554) here.

AUTH= as MAIL FROM parameter has indeed been in RFC #2554 all along, even
if no one is using it.

From RFC #2554:
# 3. The Authentication service extension
# [...]
# (4) a new SMTP verb "AUTH" is defined
#
# (5) an optional parameter using the keyword "AUTH" is added to the
# MAIL FROM command, and extends the maximum line length of the
# MAIL FROM command by 500 characters.

---- Michael Deutschmann <michael@talamasca.ocis.net>

-------------------------------------------
Sender Policy Framework: http://www.openspf.org
Archives: http://v2.listbox.com/member/archive/735/=now
RSS Feed: http://v2.listbox.com/member/archive/rss/735/
Modify Your Subscription: http://v2.listbox.com/member/?member_id=1311532&id_secret=83681314-1e400c
Powered by Listbox: http://www.listbox.com
RE: Re: Forwarder whitelisting counter-proposal: SPF "i-am=" modifier [ In reply to ]
admin at asarian-host
Jan 9, 2008, 7:15 AM
Post #21 of 22 (9535 views)
Permalink
-----Original Message-----
From: Michael Deutschmann [mailto:michael@talamasca.ocis.net]
Sent: woensdag 9 januari 2008 16:00
To: spf-discuss@v2.listbox.com
Subject: RE: [spf-discuss] Re: Forwarder whitelisting counter-proposal: SPF
"i-am=" modifier

> > > [ Frank Ellerman wrote: ]
> > > I'm positive that some MSAs support AUTH :-)
> >
> > As parameter to the MAIL command?? We're not talking
> > the SMTP verb "AUTH" (RFC 2554) here.
>
> AUTH= as MAIL FROM parameter has indeed been in RFC #2554 all along,
> even if no one is using it.
>
> From RFC #2554:
> # 3. The Authentication service extension
> # [...]
> # (4) a new SMTP verb "AUTH" is defined
> #
> # (5) an optional parameter using the keyword "AUTH" is added to the
> # MAIL FROM command, and extends the maximum line length of the
> # MAIL FROM command by 500 characters.

Gee, I must be really blind today, :) And not just today: in all those
years I never realized it was there as a param to the MAIL command, too!
And sendmail seems to support it just fine. Hmm, this opens up cute new
possibilities. :)

- Mark

-------------------------------------------
Sender Policy Framework: http://www.openspf.org
Archives: http://v2.listbox.com/member/archive/735/=now
RSS Feed: http://v2.listbox.com/member/archive/rss/735/
Modify Your Subscription: http://v2.listbox.com/member/?member_id=1311532&id_secret=83710402-3d0716
Powered by Listbox: http://www.listbox.com
Re: Forwarder whitelisting counter-proposal: SPF "i-am=" modifier [ In reply to ]
dmquigg-spf at yahoo
Jan 10, 2008, 2:24 AM
Post #22 of 22 (9542 views)
Permalink
At 03:40 AM 1/9/2008 +0000, Julian wrote:

>No, you got both Michael and me wrong. Each of our proposals is merely
>trying to establish a solid identity that receivers can actually PUT on
>their forwarder whitelist. Of course receivers still have to explicitly
>do that themselves.
>
>With "i-am=", I can put "HELO=forwarder.org" on my whitelist, even if the
>forwarder doesn't use that identity directly in their HELOs. Currently I
>cannot do that, but I'd rather have to list all their individual HELOs
>(which are bound to change over time).
>
>"i-am=" is merely an out-of-band reformulation of Michael's in-band (SMTP
>extension) idea for transmitting an additional identity.

The SMTP extension could be done in a way that is not tied to SPF (and thus not as likely to generate opposition from the IETF or lack of support by advocates of other methods).

5. Example Using the ID

Here is a typical SMTP session using the ID command. C is the client
(sender). S is the server (receiver).

C: EHLO mailserver7.bigforwarder.com
S: 250-host.com, welcome
S: 250-SIZE ETRN
S: 250-AUTH LOGIN ID
S: 250 HELP
C: ID bigforwarder.com
S: 250 ... Sender validation pending. Continue.
C: MAIL FROM:<bob@sales.some-company.com>
S: 250 Ok

The ID identifies the entity assuming responsibility for the messages which follow in that session. Some additional restrictions (like requiring a valid, registered domain name) might encourage senders to minimize the number of IDs they use, but for legitimate senders anyway, there should be adequate incentive in the desire to build a less fragile reputation.

-- Dave

-------------------------------------------
Sender Policy Framework: http://www.openspf.org
Archives: http://v2.listbox.com/member/archive/735/=now
RSS Feed: http://v2.listbox.com/member/archive/rss/735/
Modify Your Subscription: http://v2.listbox.com/member/?member_id=1311532&id_secret=84135296-1dc2f1
Powered by Listbox: http://www.listbox.com

©2024 GT.net. A Gossamer Threads company.
5th Floor, 455 Granville St., Vancouver, BC V6C 1T1, Canada | Legal