Re: [spfbis] New issue: 8.4. Fail: rejection is not described explicitly
Alessandro Vesely <vesely@tana.it> Tue, 23 April 2013 07:59 UTC
Return-Path: <vesely@tana.it>
X-Original-To: spfbis@ietfa.amsl.com
Delivered-To: spfbis@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id ECEA921F872E for <spfbis@ietfa.amsl.com>; Tue, 23 Apr 2013 00:59:15 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.719
X-Spam-Level:
X-Spam-Status: No, score=-4.719 tagged_above=-999 required=5 tests=[AWL=0.000, BAYES_00=-2.599, HELO_EQ_IT=0.635, HOST_EQ_IT=1.245, RCVD_IN_DNSWL_MED=-4]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 0ND7vIKtteKY for <spfbis@ietfa.amsl.com>; Tue, 23 Apr 2013 00:59:15 -0700 (PDT)
Received: from wmail.tana.it (wmail.tana.it [62.94.243.226]) by ietfa.amsl.com (Postfix) with ESMTP id 1E69F21F871C for <spfbis@ietf.org>; Tue, 23 Apr 2013 00:59:14 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=tana.it; s=beta; t=1366703953; bh=0ANlda2K8FnUpao1YxbxFpkTvrpdwK5+7GpyKs9Iz8E=; l=3483; h=Date:From:To:References:In-Reply-To; b=kL846g6gu8DSQk1Cw4ynZGeJUMi8y2eCoWTYNmCPEpqFSyO8YQDu9uqoEJ9rXecNs qVaV7Hb3utdTa/ZDAbAPAQo084Vx7wlrp930lnRLklr0C/qO279lHoiypqGiQ5S6Mx UCPfDYJ04VK00aoeZ/3gwaAOUZ7KyGoXmYlKdqSU=
Authentication-Results: tana.it; auth=pass (details omitted)
Received: from [172.25.197.101] (pcale.tana [172.25.197.101]) (AUTH: CRAM-MD5 uXDGrn@SYT0/k) by wmail.tana.it with ESMTPA; Tue, 23 Apr 2013 09:59:12 +0200 id 00000000005DC039.0000000051763F50.00002908
Message-ID: <51763F51.3020608@tana.it>
Date: Tue, 23 Apr 2013 09:59:13 +0200
From: Alessandro Vesely <vesely@tana.it>
User-Agent: Mozilla/5.0 (Windows NT 5.1; rv:17.0) Gecko/20130328 Thunderbird/17.0.5
MIME-Version: 1.0
To: spfbis@ietf.org
References: <51726641.7070606@tana.it> <CAL0qLwb0KzATJ5p3Ca1+0sj5bvYi7wJx-MppnBfyX_UUg_JPzw@mail.gmail.com> <5173BEF0.10707@tana.it> <CAL0qLwaVPhrukwAN88D7Ycb-UJaDivhAn-zugkrdMhJ7D2R2GQ@mail.gmail.com> <5174F5ED.4080303@tana.it> <CAL0qLwY=3ePi+z=pWA=bpnAt5wpzGTZJXNCsj9gsZYO8ybY=yA@mail.gmail.com>
In-Reply-To: <CAL0qLwY=3ePi+z=pWA=bpnAt5wpzGTZJXNCsj9gsZYO8ybY=yA@mail.gmail.com>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Subject: Re: [spfbis] New issue: 8.4. Fail: rejection is not described explicitly
X-BeenThere: spfbis@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: SPFbis discussion list <spfbis.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/spfbis>, <mailto:spfbis-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/spfbis>
List-Post: <mailto:spfbis@ietf.org>
List-Help: <mailto:spfbis-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/spfbis>, <mailto:spfbis-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 23 Apr 2013 07:59:16 -0000
On Mon 22/Apr/2013 20:20:44 +0200 Murray S. Kucherawy wrote: > On Mon, Apr 22, 2013 at 1:33 AM, Alessandro Vesely <vesely@tana.it> wrote: > >>>> SPF does not separate algorithm from policy in the same way >>>> that DKIM is separated from ADSP. How can DMARC specify an >>>> interface to the SPF layer if SPF does not provide for one? >>> >>> RFC5451 is a perfectly good interface. It works fine for >>> OpenDMARC, for example. >> >> Hm... RFC 5451 has phrases like 'if, for example, [SPF] returned >> as "pass" result'. It is not clear whether that refers to the >> result of the check_host() function rather than, considering >> Section 4.2 "Local Policy Enforcement", the combined result of >> check_host() and local policy up to that point in the >> processing. > > That's a bit off topic here, I think. Not if we just aim at establishing whether such /kind/ of statements can be made in a well defined manner. > However, I don't think you're comparing the same things. The SPF result is > the result of check_host(). What local policy choice is made might be > based on that and it might not, but that doesn't change what check_host() > returned. Correct, it is possible to refer to the result of check_host() for a given identity. But none of RFC 5451, VBR and DMARC do so. Why? I think it would result in a too lengthy wording. Perhaps, the wording of Section 2.4 can be improved? Let me try: OLD: A mail receiver can perform a set of SPF checks for each mail message it receives. An SPF check tests the authorization of a client host to emit mail with a given identity. Typically, such checks are done by a receiving MTA, but can be performed elsewhere in the mail processing chain so long as the required information is available and reliable. At least the "MAIL FROM" identity MUST be checked, but it is RECOMMENDED that the "HELO" identity also be checked beforehand. NEW: A mail receiver can perform two SPF checks for each mail message it receives. Each SPF check tests the authorization of a client host for using either the "HELO" or the "MAIL FROM" identity. The possible results of each check are given in Section 2.6. The primary SPF result is the result of of the check associated with the "MAIL FROM" identity; this result MUST be obtained if possible. The secondary SPF result is the result of the check associated with the "HELO" identity; it is RECOMMENDED that this result be obtained beforehand, and it MUST be obtained if it is not possible to get the primary. _Note_ that I'm not proposing that change. I'm asking if a change like that would clear this issue. >> As a further example, Section 7.3 of RFC 5518 is formally ambiguous >> too, because SPF could produce a "pass" result by validating the >> "HELO" identity, and then VBR would be checked against a possibly >> spoofed <reverse-path>. > > RFC5451 includes a mechanism for the consumer to know which mode of > SPF was used. Why does VBR itself have to care? VBR does not refer to RFC 5451. It just says: When SPF is the validation mechanism, VBR's md= MUST be the same value as the domain name in the <reverse-path> address that is the first parameter to the SMTP MAIL command. A domain is valid for use with VBR only when the SPF process produces a "pass" result. Admittedly, it takes a bit of malice to misunderstand that. However, someone blindly developing the specs could overlook it.
- [spfbis] New issue: 8.4. Fail: rejection is not d… Alessandro Vesely
- Re: [spfbis] New issue: 8.4. Fail: rejection is n… John Levine
- Re: [spfbis] New issue: 8.4. Fail: rejection is n… Hector Santos
- Re: [spfbis] New issue: 8.4. Fail: rejection is n… Hector Santos
- Re: [spfbis] New issue: 8.4. Fail: rejection is n… Hector Santos
- Re: [spfbis] New issue: 8.4. Fail: rejection is n… Scott Kitterman
- Re: [spfbis] New issue: 8.4. Fail: rejection is n… Scott Kitterman
- Re: [spfbis] New issue: 8.4. Fail: rejection is n… Scott Kitterman
- Re: [spfbis] New issue: 8.4. Fail: rejection is n… Murray S. Kucherawy
- Re: [spfbis] New issue: 8.4. Fail: rejection is n… Alessandro Vesely
- Re: [spfbis] New issue: 8.4. Fail: rejection is n… Murray S. Kucherawy
- Re: [spfbis] New issue: 8.4. Fail: rejection is n… Alessandro Vesely
- Re: [spfbis] New issue: 8.4. Fail: rejection is n… Murray S. Kucherawy
- Re: [spfbis] New issue: 8.4. Fail: rejection is n… Alessandro Vesely
- Re: [spfbis] New issue: 8.4. Fail: rejection is n… Scott Kitterman
- Re: [spfbis] New issue: 8.4. Fail: rejection is n… Alessandro Vesely
- Re: [spfbis] New issue: 8.4. Fail: rejection is n… Murray S. Kucherawy
- Re: [spfbis] New issue: 8.4. Fail: rejection is n… Alessandro Vesely
- Re: [spfbis] New issue: 8.4. Fail: rejection is n… Murray S. Kucherawy
- Re: [spfbis] New issue: 8.4. Fail: rejection is n… John Levine
- Re: [spfbis] New issue: 8.4. Fail: rejection is n… Alessandro Vesely
- Re: [spfbis] New issue: 8.4. Fail: rejection is n… Murray S. Kucherawy
- Re: [spfbis] New issue: 8.4. Fail: rejection is n… Scott Kitterman
- Re: [spfbis] New issue: 8.4. Fail: rejection is n… Hector Santos
- Re: [spfbis] New issue: 8.4. Fail: rejection is n… Scott Kitterman
- Re: [spfbis] New issue: 8.4. Fail: rejection is n… Hector Santos
- Re: [spfbis] New issue: 8.4. Fail: rejection is n… Scott Kitterman
- Re: [spfbis] New issue: 8.4. Fail: rejection is n… Alessandro Vesely
- Re: [spfbis] New issue: 8.4. Fail: rejection is n… Scott Kitterman
- Re: [spfbis] New issue: 8.4. Fail: rejection is n… Alessandro Vesely
- Re: [spfbis] New issue: 8.4. Fail: rejection is n… S Moonesamy