Re: [dmarc-ietf] Ticket #1 - SPF alignment

Hector Santos <hsantos@isdg.net> Tue, 02 February 2021 15:42 UTC

Return-Path: <hsantos@isdg.net>
X-Original-To: dmarc@ietfa.amsl.com
Delivered-To: dmarc@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id EB7983A1BA6 for <dmarc@ietfa.amsl.com>; Tue, 2 Feb 2021 07:42:25 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.101
X-Spam-Level:
X-Spam-Status: No, score=-2.101 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, NICE_REPLY_A=-0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=isdg.net header.b=jcwqaYkx; dkim=pass (1024-bit key) header.d=beta.winserver.com header.b=zTDlaUgM
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id gLbWvDXnvh0Q for <dmarc@ietfa.amsl.com>; Tue, 2 Feb 2021 07:42:23 -0800 (PST)
Received: from mail.winserver.com (winserver.com [76.245.57.69]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 6F7CD3A1262 for <dmarc@ietf.org>; Tue, 2 Feb 2021 07:42:23 -0800 (PST)
DKIM-Signature: v=1; d=isdg.net; s=tms1; a=rsa-sha256; c=simple/relaxed; l=5470; t=1612280538; atps=ietf.org; atpsh=sha1; h=Received:Received:Received:Received:Message-ID:Date:From: Organization:To:Subject:List-ID; bh=4v33hnWx5G6QZGvM6L5dDxnuc1ci VUDq6L3MpH5t+dA=; b=jcwqaYkxt3nrH7cTqCPMbaH+lALmLeRp/+H5asSX6RxI j0rpLMnGIokJa5qk4eP3OeYHLdxKZwQrn3ODbvc93R1b/m7Xzwysy/9NzNhmj3q0 Rz7MGKEoyXS4YrmjDe9eg1t0MsuB7rHGa4l040DiakK0+sCzW3+0ViivueDvuv4=
Received: by mail.winserver.com (Wildcat! SMTP Router v8.0.454.10) for dmarc@ietf.org; Tue, 02 Feb 2021 10:42:18 -0500
Authentication-Results: dkim.winserver.com; dkim=fail (DKIM_SELECTOR_DNS_PERM_FAILURE) header.d=beta.winserver.com header.s=tms1 header.i=beta.winserver.com; dmarc=dkim-fail policy=reject author.d=isdg.net signer.d=beta.winserver.com (atps signer);
Received: from beta.winserver.com ([76.245.57.74]) by mail.winserver.com (Wildcat! SMTP v8.0.454.10) with ESMTP id 608735401.16691.2868; Tue, 02 Feb 2021 10:42:07 -0500
DKIM-Signature: v=1; d=beta.winserver.com; s=tms1; a=rsa-sha256; c=simple/relaxed; l=5470; t=1612280502; h=Received:Received: Message-ID:Date:From:Organization:To:Subject:List-ID; bh=4v33hnW x5G6QZGvM6L5dDxnuc1ciVUDq6L3MpH5t+dA=; b=zTDlaUgMXzHBKljMrtDW3/L 6Yb5KE4BxyF4jW+bFpkCzv7M31spz9VHPmdfzVmZdKyElbgGJ0bNryMnRyYNxqBo PkxXoAdtWUB5NRkmP3Jv5fjpPHfzPrTOJK1YA7OCDkeNFdSySdLSY5KtGk+cNBbp +s/kuRZBK5zomf58LYhY=
Received: by beta.winserver.com (Wildcat! SMTP Router v8.0.454.10) for dmarc@ietf.org; Tue, 02 Feb 2021 10:41:42 -0500
Received: from [192.168.1.68] ([75.26.216.248]) by beta.winserver.com (Wildcat! SMTP v8.0.454.10) with ESMTP id 1292430971.1.24652; Tue, 02 Feb 2021 10:41:42 -0500
Message-ID: <601972CC.5000604@isdg.net>
Date: Tue, 02 Feb 2021 10:42:04 -0500
From: Hector Santos <hsantos@isdg.net>
Reply-To: hsantos@isdg.net
Organization: Santronics Software, Inc.
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:24.0) Gecko/20100101 Thunderbird/24.8.1
MIME-Version: 1.0
To: Douglas Foster <dougfoster.emailstandards@gmail.com>
CC: Scott Kitterman <sklist@kitterman.com>, IETF DMARC WG <dmarc@ietf.org>, 'Hector Santos' <winserver@icloud.com>
References: <20210130212339.447316D04763@ary.qy> <1654196.ygyh55z74P@zini-1880> <babf1538-5172-f101-d5e4-c4fa33dea495@tana.it> <4489192.U1a6Vm75Xl@zini-1880> <CAH48ZfxB8OoA=3YCdj9mCf3sBzRo8Cu0Tg0z70_tCqQ6QmsCTg@mail.gmail.com>
In-Reply-To: <CAH48ZfxB8OoA=3YCdj9mCf3sBzRo8Cu0Tg0z70_tCqQ6QmsCTg@mail.gmail.com>
Content-Type: text/plain; charset=UTF-8; format=flowed
Content-Transfer-Encoding: 7bit
Archived-At: <https://mailarchive.ietf.org/arch/msg/dmarc/s_HDbkQS3Tbpfhs9Tu4pO-a1A_Q>
Subject: Re: [dmarc-ietf] Ticket #1 - SPF alignment
X-BeenThere: dmarc@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "Domain-based Message Authentication, Reporting, and Compliance \(DMARC\)" <dmarc.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dmarc>, <mailto:dmarc-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dmarc/>
List-Post: <mailto:dmarc@ietf.org>
List-Help: <mailto:dmarc-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dmarc>, <mailto:dmarc-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 02 Feb 2021 15:42:26 -0000

On 2/1/2021 7:11 PM, Douglas Foster wrote:
> I think I finally understand the complexities of this issue.   SPF is
> two different validations, largely unrelated.
>
> Test One:
> A connection comes in and a server asserts a HELO name.   Before
> proceeding, the recipient was to check if the HELO name is plausible
> or fraudulent.    One way to do this would be to forward-confirm the
> HELO DNS name to the source IP.  An alternate method is to use SPF to
> see if the SPF policy says that the HELO domain can send from the
> Source IP.   I do not understand why the domain owner would be able to
> configure the SPF policy but not the host name in DNS.

There is a history of Machine Host Name and IP misconfiguration -- 
EASILY possible by simply moving a machine or trying to use many 
machines correctly and generically with one configuration profile.  If 
rDNS is not available for the host, its all part of the unreliability. 
  Unless you write SMTP code for outbound mailing, its hard to see 
this. You can try to automate the smtp client design so that the EHLO 
is always correct with the IP, but there will be MANY times where it 
won't be right for ABC customer for their XYZ reasons.  Its possible 
but its not without optional fields to override an automated logic.

> Test Two:
> If the conversation proceeds past HELO to MAILFROM, then the second
> validation is performed:   Is the Source IP is authorized to send on
> behalf of the SMTP domain?   When the SMTP address is null, then
> postmaster@HeloDomain serves as a proxy for performing this test.

That's one theory possible, but the main thing to remember that a 
BOUNCE is required in the name of mail delivery and notifications when 
delivery fails. You still have the unreliable nature of HELO checking 
and a bounce is too important to be making it dependent on an 
unreliable HELO SPF check.

Many systems do a variety of RFC5322 checks for a BOUNCE message after 
it is accepted or maybe at the DATA state.   It would be nice if we 
could enforce DSN (RFC3464) but that is not possible.  Its optional 
and the old way of doing BOUNCE messages, formats and layouts varies. 
  Inconsistent.  There are some keep addresses that "must" or "should" 
exist in the 5322.From, like the user part has "Mailer-Daemon" and 
"postmaster" when the 5321.MailFrom is NULL.  If not, it could be 
rejected then.

Finally......

Back in early days of LMAP "Lightweight MTA Authentication Protocol" 
[1] , 2003, 2004, Meng Wong made his version of a LMAP protocol called 
SPF. Before SPF, there were others like DMP "Designated Mailers 
Protocols" [2] and RMX [3]. SPF is a merge of these two LMAP methods.

My wcSMTP was among the early LMAP explorers (wcSMTP had DMP support 
before SPF came). I did an LMAP analysis and provided it to Meng Wong. 
  We had an email conversation about the need to document SPF 
CheckHost() for HELO (despite its unreliability and ambiguity) but do 
not enforce HELO checking because there will a wide degree of 
different implementations possible when it comes to HELO checking and 
the order of checking the identities.  For example, in wcSMTP, the 
order is as follows:

1- RCPT TO
2- MAIL FROM
3- EHLO/HELO (optional which is OFF by default)

Before any extended, DNS overhead augmented technology is performed, 
RCPT TO is checked for validity and existence. So when the client 
issues MAIL FROM, the following response is issued by wcSMTP:

C: MAIL FROM:<return-address>
S: 250 <return-path>... Sender validation pending. Continue.

Then the RCPT TO issued:

C: RCPT TO:<forwarding-address>

If the RCPT TO address is good, then it now checks the envelope 
parameters against a suite of protocols that include RBL, SPF, CBV and 
local rules filters.

But if the RCPT TO address is not good, then a 550 is issued because 
there is no need to check for any DNS related policies.  If SPF fails 
here, DATA is never reached -- its considered an optimizer and 
remember please, SPF predated DKIM POLICIES (SSP, ADSP and DMARC).  In 
additional, there is the PRA and SUBMITTER protocol that wcSMTP SPF 
implementation considers.  PRA/SUBMITTER provides the 5322.From 
address at the SMTP level.  It can be used to for SPF checking. Its 
optional.  But now with DMARC, I think PRA/SUBMITTER can play a big 
role and enhance these DMARC SMTP/SPF checking adjustment. Its 
unfortunate there isn't another "mail engineer" that can see the 
benefit of these protocols used together. SPF doesn't need to change, 
DMARC does!!!

Here is the LMAP analysis I did. wcSMTP follows the concepts this 
analysis to help optimize LMAP protocols checking at the SMTP level:

https://secure.winserver.com/public/antispam/lmap/draft-LmapAnalysis1-2.htm

I hope this helps your understanding of the complexity of all this, 
but for me, there are some basic filter concepts that can be applied 
and I do for my wcSMTP package before all the extra DNS overhead can 
be applied.

-- 
Hector Santos,
https://secure.santronics.com
https://twitter.com/hectorsantos

[1] Lightweight MTA Authentication Protocol (LMAP) Discussion and 
Applicability Statement, 
https://secure.winserver.com/public/ietf/drafts/draft-irtf-asrg-lmap-discussion-00.txt

[2] Designated Mailers Protocol (DMP), 
https://tools.ietf.org/html/draft-fecyk-dmp-01

[3] The RMX DNS RR and method for lightweight SMTP sender 
authorization, https://tools.ietf.org/html/draft-danisch-dns-rr-smtp-03