Re: [spfbis] What unused means
Alessandro Vesely <vesely@tana.it> Sat, 21 July 2012 11:27 UTC
Return-Path: <vesely@tana.it>
X-Original-To: spfbis@ietfa.amsl.com
Delivered-To: spfbis@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 7F9FD21F8694 for <spfbis@ietfa.amsl.com>; Sat, 21 Jul 2012 04:27:20 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.731
X-Spam-Level:
X-Spam-Status: No, score=-3.731 tagged_above=-999 required=5 tests=[AWL=-0.812, BAYES_00=-2.599, HELO_EQ_IT=0.635, HOST_EQ_IT=1.245, J_CHICKENPOX_37=0.6, J_CHICKENPOX_54=0.6, J_CHICKENPOX_93=0.6, RCVD_IN_DNSWL_MED=-4]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id dimiVXnAWkFU for <spfbis@ietfa.amsl.com>; Sat, 21 Jul 2012 04:27:19 -0700 (PDT)
Received: from wmail.tana.it (wmail.tana.it [62.94.243.226]) by ietfa.amsl.com (Postfix) with ESMTP id 2E77321F8698 for <spfbis@ietf.org>; Sat, 21 Jul 2012 04:27:19 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=tana.it; s=test; t=1342870096; bh=zjtAuzP3GIdFxKA7ZgCu6fnqn35emJd1GwN+m34PMgo=; l=4462; h=Message-ID:Date:From:MIME-Version:To:References:In-Reply-To: Content-Transfer-Encoding; b=ar5eMUGKveyDzNbFfnZLawMNkARo2uvvzt/l1bYAvVxK2C/LN+z4KMPNNqu4aipFF 1w8k0kUPUwauHr9Fk5tx+WjwwayB5/oViOcQ3rb63Dsp75Mutaqnl+SEdP4Tv4p6+3 OFDpdH0SwcEuMwegAVZrGUpZpWpSGyrpzZCRgVdQ=
Received: from [172.25.197.158] (pcale.tana [172.25.197.158]) (AUTH: CRAM-MD5 515, TLS: TLS1.0,256bits,RSA_AES_256_CBC_SHA1) by wmail.tana.it with ESMTPSA; Sat, 21 Jul 2012 13:28:16 +0200 id 00000000005DC03F.00000000500A9250.00006452
Message-ID: <500A9250.1090709@tana.it>
Date: Sat, 21 Jul 2012 13:28:16 +0200
From: Alessandro Vesely <vesely@tana.it>
User-Agent: Mozilla/5.0 (Windows NT 5.1; rv:14.0) Gecko/20120713 Thunderbird/14.0
MIME-Version: 1.0
To: spfbis@ietf.org
References: <20120719162955.68199.qmail@joyce.lan> <50088570.5010207@dcrocker.net> <50097F83.7010902@tana.it> <4493351.o1zlKi289H@scott-latitude-e6320> <50099AF7.8000204@isdg.net>
In-Reply-To: <50099AF7.8000204@isdg.net>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Subject: Re: [spfbis] What unused means
X-BeenThere: spfbis@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: SPFbis discussion list <spfbis.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/spfbis>, <mailto:spfbis-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/spfbis>
List-Post: <mailto:spfbis@ietf.org>
List-Help: <mailto:spfbis-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/spfbis>, <mailto:spfbis-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 21 Jul 2012 11:27:20 -0000
On Fri 20/Jul/2012 19:52:55 +0200 Hector Santos wrote:
> Scott Kitterman wrote:
>> On Friday, July 20, 2012 05:55:47 PM Alessandro Vesely wrote:
>>> As Scott said, a receiver who plays SPFbis MAY want to omit
>>> SPF checking for that particular record. If the claim that
>>> those dangerous macros are unused is correct, that is a
>>> holdable choice for new or upgraded implementations. OTOH,
>>> older software and records can continue to work undisturbed and
>>> still be compliant, which is a good interpretation of "backward
>>> compatibility".
>>
>> Note: I didn't say I thought this was a good idea. I don't. I
>> merely think it's better than partial implementations of the
>> protocol issuing errors for things that are valid, but they've
>> chosen not to implement.
draft-schlitt-spf-classic-00 discouraged PTR in 2004, so dropping it
in 2012 shouldn't come as much of a surprise.
> If I read this correct, then this a broken protocol by BIS design
> which is not what BIS is suppose to be about.
>
> IMTO, we should spit the issues up. PTR vs %p are two different
> things. PTR is used, %p is rare.
I'm unable to guess the meaning of that "T" in "IMTO". True? Tough?
Typical? Tergiversatory?
> Alternatively, if the ITCH is that big to have deprecated, removed,
> obsolete features, then do a SPF3.0 but do it properly so there is
> logic backward and upward path for both:
>
> v=spf1 continues supporting PTR, %p
> v=spf3 does not support PTR, %p and whatever else you wish to strip.
I don't see how this would help anything, since the publisher doesn't
have a say about what SPF version, if any, receivers apply. Let's
consider Stuart's example: "v=spf1 ?ptr:isp.com -all". That client
wouldn't know what to write in a v=spf3 record, so I'm unable to guess
what advantages might result from a version change.
More on that example:
On Thu 19/Jul/2012 06:49:48 +0200 Stuart Gathman wrote:
> the ISP provides no SPF record of its own, but the smtp servers all
> end in "isp.com".
IMHO, the trick lays in the problem statement: How can one know that
all their smtp servers end in "isp.com", given that the most obvious
place to make such a statement would be an SPF record? Obviously,
ISPs can change host names without notice.
How meaningful is that name suffix? RFC 5451 formalizes an "iprev"
authentication method, which is similar to the PTR mechanism, but
easier to pass, as it doesn't take such name. A receiver who
implements both methods could mark a message from that client like so:
Authentication-Results: SPFbis.example;
iprev=pass policy.iprev=192.0.2.30;
spf=neutral smtp.mailfrom=client-of-isp.com
Received-SPF: neutral mechanism=ptr client-ip=192.0.2.30
I note that the speculated "isp.com" string is not reported. In case
the message is abusive, I wouldn't know where to send a complaint.
RFC 5451 doesn't use the term "discouraged", but says:
There is some contention regarding the wisdom and reliability of this
test. For example, in some regions it can be difficult for this test
ever to pass because the practice of arranging to match the forward
and reverse DNS is infrequently observed. Therefore, the actual
implementation details of how a verifier performs an "iprev" test are
not specified here. The verifier MAY report a successful or failed
"iprev" test at its discretion having done some kind of check of the
validity of the connection's identity using DNS. It is incumbent
upon an agent making use of the reported "iprev" result to understand
what exactly that particular verifier is attempting to report.
Extensive discussion of reverse DNS mapping and its implications can
be found in [DNSOP-REVERSE]. In particular, it recommends that
applications avoid using this test as a means of authentication or
security. Its presence in this memo is not an endorsement, but is
merely acknowledgement that the method remains common and provides
the means to relay the results of that test.
NB: [DNSOP-REVERSE] is the "blancmange" document that Andrew referred
in a parallel thread a couple of days ago. An interesting reading,
rich of historical details, that document is alas also an example of a
topic which can yield not-published-as-an-RFC. There's plenty of
different topics to discuss in 4408bis.
[DNSOP-REVERSE]
http://tools.ietf.org/html/draft-ietf-dnsop-reverse-mapping-considerations-06
- [spfbis] What unused means John Levine
- Re: [spfbis] What unused means Scott Kitterman
- Re: [spfbis] What unused means Andrew Sullivan
- Re: [spfbis] What unused means John Levine
- Re: [spfbis] What unused means Dave Crocker
- Re: [spfbis] What unused means Alessandro Vesely
- Re: [spfbis] What unused means Scott Kitterman
- Re: [spfbis] What unused means Hector Santos
- Re: [spfbis] What unused means S Moonesamy
- Re: [spfbis] What unused means Alessandro Vesely
- Re: [spfbis] What unused means Hector Santos
- Re: [spfbis] What unused means Hector Santos
- Re: [spfbis] What unused means Hector Santos
- Re: [spfbis] What unused means Murray S. Kucherawy
- Re: [spfbis] What unused means Hector Santos