Hi,
I'm new and have been pouring over the archives of the spf and srs
lists trying to get up to speed.
I would like to make comment about the partial-open-relay problem.
i.e. that fact that if an SRS aware MTA willing forwards SRS1
addresses after unwrapping to SRS0, they run the risk for forwarding
junk-mail to a wildcard address on the target domain.
I agree that while this may not be an enormous problem, it is a real
problem (being the recipient of wildcard mail to atleast one domain
myself).
It seems to me that there is a very straight forward way to close this
hole that I haven't seen mentioned in the archives at all.
The danger of blindly forwarding SRS1 addresses is that the
receiving MTA might not be SRS aware. It should always be safe to
forward to SRS1 addresses to SRS aware MTAs. We can be slightly more
cautious than that: it is only ever appropriate to forward to SRS0
addresses on MTAs which actually sends out SRS0 addresses.
As the statement "I send SRS0 addresses" is arguably part of a
senders policy framework, it would not be unreasonable to include
this information in an SPF record in the DNS.
A simple backwards-compatible way to do this in an spf1 record would
be to put e.g. "+srs0" *after* the "*all" word. e.g. I would replace
cse.unsw.edu.au IN TXT "v=spf1 a mx ?all"
with
cse.unsw.edu.au IN TXT "v=spf1 a mx ?all +srs0"
This should not affect the current processing of spf1 records as it
should stop at the first 'all'.
So, I'm proposing that an MTA should only unwrap an SRS1 address and
forward on to the appropriate SRS0 address if the domain in the SRS0
address publishes a "spf" record which declared "+srs0", and that
MTAs which send SRS0 wrapped return addresses should declare that
fact by having "+srs0" in the spf record for each domain they
control.
Comments?
NeilBrown
I'm new and have been pouring over the archives of the spf and srs
lists trying to get up to speed.
I would like to make comment about the partial-open-relay problem.
i.e. that fact that if an SRS aware MTA willing forwards SRS1
addresses after unwrapping to SRS0, they run the risk for forwarding
junk-mail to a wildcard address on the target domain.
I agree that while this may not be an enormous problem, it is a real
problem (being the recipient of wildcard mail to atleast one domain
myself).
It seems to me that there is a very straight forward way to close this
hole that I haven't seen mentioned in the archives at all.
The danger of blindly forwarding SRS1 addresses is that the
receiving MTA might not be SRS aware. It should always be safe to
forward to SRS1 addresses to SRS aware MTAs. We can be slightly more
cautious than that: it is only ever appropriate to forward to SRS0
addresses on MTAs which actually sends out SRS0 addresses.
As the statement "I send SRS0 addresses" is arguably part of a
senders policy framework, it would not be unreasonable to include
this information in an SPF record in the DNS.
A simple backwards-compatible way to do this in an spf1 record would
be to put e.g. "+srs0" *after* the "*all" word. e.g. I would replace
cse.unsw.edu.au IN TXT "v=spf1 a mx ?all"
with
cse.unsw.edu.au IN TXT "v=spf1 a mx ?all +srs0"
This should not affect the current processing of spf1 records as it
should stop at the first 'all'.
So, I'm proposing that an MTA should only unwrap an SRS1 address and
forward on to the appropriate SRS0 address if the domain in the SRS0
address publishes a "spf" record which declared "+srs0", and that
MTAs which send SRS0 wrapped return addresses should declare that
fact by having "+srs0" in the spf record for each domain they
control.
Comments?
NeilBrown