Mailing List Archive

Benjamin Zachary wrote:

> that is what *I* understand to be where SPF gets the IP
> information from

It's simple in SMTP (the S stands for simple ;-) The sending
mailer (client MTA) "talks" with the receiving mailer (server).
They use a TCP connection to "talk". TCP uses IP, and there
you have the IP without any doubt (forget anything you've heard
of "IP spoofing", it's extremely difficult with TCP).

> If I look at the header I see the original IP in it

The receiver normally notes it in a Received: header. But it's
not always easy to find the correct Received: header. And even
if you find it the real power of SPF is to _reject_ all forged
MAIL FROM addresses in the SMTP dialogue. Detecting forgeries
later is fine, but less convicing, because all you can then do
is to delete the mail. Bouncing to a forged address would be
stupid. So if there's _any_ error (e.g. if you took the wrong
Received: header, or if the sender policy is too restrictive),
then the mail would be lost.

OTOH if SPF works in the SMTP dialogue the sender gets a proper
SMTP error message, and can report it to the sending user.

Bye, Frank


-------
Archives at http://archives.listbox.com/spf-help/current/
Donate! http://spf.pobox.com/donations.html
To unsubscribe, change your address, or temporarily deactivate your subscription,
please go to http://v2.listbox.com/member/?listname=spf-help@v2.listbox.com

On Fri, Oct 08, 2004 at 05:55:58AM +0200, Frank Ellermann wrote:
> > If I look at the header I see the original IP in it
>
> The receiver normally notes it in a Received: header. But it's
> not always easy to find the correct Received: header. And even
> if you find it the real power of SPF is to _reject_ all forged
> MAIL FROM addresses in the SMTP dialogue. Detecting forgeries
> later is fine, but less convicing, because all you can then do
> is to delete the mail. Bouncing to a forged address would be
> stupid. So if there's _any_ error (e.g. if you took the wrong
> Received: header, or if the sender policy is too restrictive),
> then the mail would be lost.

What's more, if you look at the header _after_ the actual transaction
has taken place, there is a delay between the reception of the message
and the spf check. If this delay is large enough, the spf record may
have changed which means your spf check is not against the spf record
that the sender intended it to be against.

Koen

--
K.F.J. Martens, Sonologic, http://www.sonologic.nl/
Networking, embedded systems, unix expertise, artificial intelligence.
Public PGP key: http://www.metro.cx/pubkey-gmc.asc
Wondering about the funny attachment your mail program
can't read? Visit http://www.openpgp.org/

-------
Archives at http://archives.listbox.com/spf-help/current/
Donate! http://spf.pobox.com/donations.html
To unsubscribe, change your address, or temporarily deactivate your subscription,
please go to http://v2.listbox.com/member/?listname=spf-help@v2.listbox.com

Koen Martens wrote:

> if you look at the header _after_ the actual transaction
> has taken place, there is a delay between the reception of
> the message and the spf check. If this delay is large enough,
> the spf record may have changed

Or the IP in question may have changed. I'm a bit worried
about something like a:mta.example and load balancing with
several IPs. Or is this nonsense, because that's not how
it's done ?
Bye, Frank


-------
Archives at http://archives.listbox.com/spf-help/current/
Donate! http://spf.pobox.com/donations.html
To unsubscribe, change your address, or temporarily deactivate your subscription,
please go to http://v2.listbox.com/member/?listname=spf-help@v2.listbox.com

On Fri, 2004-10-08 at 03:48, Frank Ellermann wrote:
> Koen Martens wrote:
>
> > if you look at the header _after_ the actual transaction
> > has taken place, there is a delay between the reception of
> > the message and the spf check. If this delay is large enough,
> > the spf record may have changed
>
> Or the IP in question may have changed. I'm a bit worried
> about something like a:mta.example and load balancing with
> several IPs. Or is this nonsense, because that's not how
> it's done ?
> Bye, Frank

Load balancing is in every implementation I have been privy to
implemented through the use of non-routable subnets and Network Address
Translation has been employed to use one IP address to represent any
given number of nodes being balanced. This is ideal for a wide variety
of reasons, most notable in this particular case because it means the
above stated problem wouldn't be.

To give you an example the mail cluster I designed for my current
company consists of 6 identical nodes 2 of which operate as redundant
load balancers capable of participating in mail handling should the need
arise. Through the use of several algorithms and NAT the nodes are
hidden from the Internet and even when they go off and on-line the
outside world is oblivious to this, even in the event of a load-balancer
failure, the redundant device which is already sharing the MAC address
takes ownership of the IP address in question whilst the former node is
offline and returns it (or not depending upon configuration) when the
former master node returns.

Hope that helps.

Cheers,

James

--
James Couzens,
Programmer
( ( (
((__)) __\|/__ __|-|__ '. ___ .'
(00) (o o) (0~0) ' (> <) '
---nn-(o__o)-nn---ooO--(_)--Ooo--ooO--(_)--Ooo---ooO--(_)--Ooo---
http://libspf.org -- ANSI C Sender Policy Framework library
http://libsrs.org -- ANSI C Sender Rewriting Scheme library
-----------------------------------------------------------------
PGP: http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x7A7C7DCF

-------
Archives at http://archives.listbox.com/spf-help/current/
Donate! http://spf.pobox.com/donations.html
To unsubscribe, change your address, or temporarily deactivate your subscription,
please go to http://v2.listbox.com/member/?listname=spf-help@v2.listbox.com

Frank wrote:

>Or the IP in question may have changed. I'm a bit worried
>about something like a:mta.example and load balancing with
>several IPs. Or is this nonsense, because that's not how
>it's done ?

It's often done this way. It is not unusual to have a DNS
round robin at five seconds or so or to have a name server
respond with more intelligent load-balanced answers (think
BigIP or equivalent for commercial products).

Those techniques by their nature suggest that ip4: entries
are a really good thing.

Hope this helps,

Len

-------
Archives at http://archives.listbox.com/spf-help/current/
Donate! http://spf.pobox.com/donations.html
To unsubscribe, change your address, or temporarily deactivate your subscription,
please go to http://v2.listbox.com/member/?listname=spf-help@v2.listbox.com

On Fri, Oct 08, 2004 at 12:48:07PM +0200, Frank Ellermann wrote:
> Koen Martens wrote:
>
> > if you look at the header _after_ the actual transaction
> > has taken place, there is a delay between the reception of
> > the message and the spf check. If this delay is large enough,
> > the spf record may have changed
>
> Or the IP in question may have changed. I'm a bit worried
> about something like a:mta.example and load balancing with
> several IPs. Or is this nonsense, because that's not how
> it's done ?

You mean load balancing as in defining multiple A records for
mta.example? This is no problem, the spf check should be done with all
the a records for mta.example..

Koen

--
K.F.J. Martens, Sonologic, http://www.sonologic.nl/
Networking, embedded systems, unix expertise, artificial intelligence.
Public PGP key: http://www.metro.cx/pubkey-gmc.asc
Wondering about the funny attachment your mail program
can't read? Visit http://www.openpgp.org/

-------
Archives at http://archives.listbox.com/spf-help/current/
Donate! http://spf.pobox.com/donations.html
To unsubscribe, change your address, or temporarily deactivate your subscription,
please go to http://v2.listbox.com/member/?listname=spf-help@v2.listbox.com

James Couzens wrote:

> Hope that helps.

Yes, thanks, also to Len and Koen. Putting it all together,
in most cases there shouldn't be a problem. Either the hosts
share the same public IP, or the name resolves to all IPs.

An example for the latter is news.claranet.de, whenever I ask
it's another IP, but in fact I always get all IPs. In this
case 13 IPs. In netdb.h I see a #define _MAXADDDRS 35, let's
hope that this is good enough.

A round robin scheme returning only one actual IP could be a
problem. So if normal users are forced to "guess" a sender
policy of their mail provider (= if "include:" is no option),
and if they want to use "a" or "mx", then they should be very
careful.
Bye, Frank

-------
Archives at http://archives.listbox.com/spf-help/current/
Donate! http://spf.pobox.com/donations.html
To unsubscribe, change your address, or temporarily deactivate your subscription,
please go to http://v2.listbox.com/member/?listname=spf-help@v2.listbox.com

James Couzens wrote:

> Hope that helps.

Yes, thanks, also to Len and Koen. Putting it all together,
in most cases there shouldn't be a problem. Either the hosts
share the same public IP, or the name resolves to all IPs.

An example for the latter is news.clara.net, whenever I ask
it's another IP, but in fact I always get all IPs. In this
case 13 IPs. In netdb.h I see a #define _MAXADDDRS 35, let's
hope that this is good enough.

A round robin scheme returning only one actual IP could be a
problem. So if normal users are forced to "guess" a sender
policy of their mail provider (= if "include:" is no option),
and if they want to use "a" or "mx", then they should be very
careful.
Bye, Frank

P.S.: Sorry, I sent my first reply to you instead of the
list, here's the fixed version with news.clara.net


-------
Archives at http://archives.listbox.com/spf-help/current/
Donate! http://spf.pobox.com/donations.html
To unsubscribe, change your address, or temporarily deactivate your subscription,
please go to http://v2.listbox.com/member/?listname=spf-help@v2.listbox.com