Re: [spfbis] Local macros strike again, was Suggestion...
Hector Santos <hsantos@isdg.net> Sat, 14 January 2012 01:42 UTC
Return-Path: <hsantos@isdg.net>
X-Original-To: spfbis@ietfa.amsl.com
Delivered-To: spfbis@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 944C321F860E for <spfbis@ietfa.amsl.com>; Fri, 13 Jan 2012 17:42:55 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.142
X-Spam-Level:
X-Spam-Status: No, score=-2.142 tagged_above=-999 required=5 tests=[AWL=0.457, BAYES_00=-2.599]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id zYchuC7Ux39e for <spfbis@ietfa.amsl.com>; Fri, 13 Jan 2012 17:42:54 -0800 (PST)
Received: from listserv.winserver.com (mail.winserver.com [208.247.131.9]) by ietfa.amsl.com (Postfix) with ESMTP id 2626921F860D for <spfbis@ietf.org>; Fri, 13 Jan 2012 17:42:53 -0800 (PST)
DKIM-Signature: v=1; d=isdg.net; s=tms1; a=rsa-sha1; c=simple/relaxed; l=4156; t=1326505364; h=Received:Received: Received:Received:Message-ID:Date:From:Organization:To:Subject: List-ID; bh=r1/n8v7xKJAV8+h47Kxh20H+g10=; b=MmTGl3DmJ2DDUPFesId1 qfLZG0pXvPJ8lJUWwsE3/uhStSfKZrJHGiuKOiFgKOMKwlvS3wDp9ve8JWPpaUlt JM/iqIU3yBT0VhhnPlngapj8xf5/pRWsc2ZbuJ/nu1KfoEA+RsMwr0Q3aj6/s85K hfO/XahaobogpxRqTfxf0Ow=
Received: by winserver.com (Wildcat! SMTP Router v6.4.454.1) for spfbis@ietf.org; Fri, 13 Jan 2012 20:42:44 -0500
Authentication-Results: dkim.winserver.com; dkim=pass header.d=beta.winserver.com header.s=tms1 header.i=beta.winserver.com; adsp=pass policy=all author.d=isdg.net asl.d=beta.winserver.com;
Received: from beta.winserver.com ([208.247.131.23]) by winserver.com (Wildcat! SMTP v6.4.454.1) with ESMTP id 4002214949.36383.3656; Fri, 13 Jan 2012 20:42:43 -0500
DKIM-Signature: v=1; d=beta.winserver.com; s=tms1; a=rsa-sha256; c=simple/relaxed; l=4156; t=1326505188; h=Received:Received: Message-ID:Date:From:Organization:To:Subject:List-ID; bh=+v+tdpo 83O09AmX/xDECSG2/iAhLp62IMdIPdCE/RjU=; b=AQxsskauF0blIY4+OAFeAkC 3GJWYGniHlzdpAOS5Y/5aHy97jQUNond2/f6OeJeIZeCqP3FTcbC8zn64vFG7M4c 86Geolbg91B/8nP/W5FlWGl86S23tYfJjFGPE0j/uCQL1zizAAfmtqEm167Z7WVs oaGo88Xej1TEFv4XqCD8=
Received: by beta.winserver.com (Wildcat! SMTP Router v6.4.454.1) for spfbis@ietf.org; Fri, 13 Jan 2012 20:39:48 -0500
Received: from [192.168.1.101] ([99.3.147.93]) by beta.winserver.com (Wildcat! SMTP v6.4.454.1) with ESMTP id 306210829.5019.2680; Fri, 13 Jan 2012 20:39:47 -0500
Message-ID: <4F10DD94.8040905@isdg.net>
Date: Fri, 13 Jan 2012 20:42:44 -0500
From: Hector Santos <hsantos@isdg.net>
Organization: Santronics Software, Inc.
User-Agent: Thunderbird 2.0.0.24 (Windows/20100228)
MIME-Version: 1.0
To: spfbis@ietf.org
References: <F5833273385BB34F99288B3648C4F06F19C6C15673@EXCH-C2.corp.cloudmark.com> <4EF8F336.8080508@gathman.org> <F5833273385BB34F99288B3648C4F06F19C6C1569C@EXCH-C2.corp.cloudmark.com> <1590867.1quv5UxKKV@scott-latitude-e6320> <4EFCB88A.1080104@mail-abuse.org> <4EFE6F39.90000@isdg.net> <4F0358CC.6030505@mail-abuse.org> <4F03775B.4050905@isdg.net> <4F04E292.9030502@mail-abuse.org> <4F04FB1C.7070302@isdg.net> <4F060E74.2070103@cisco.com> <4F063F09.3030900@isdg.net> <4F06884D.2070509@mail-abuse.org> <4F082861.5080803@tana.it> <4F09269C.6090402@isdg.net> <4F0B0035.3050106@cisco.com> <4F0C9777.1090904@mail-abuse.org> <4F0C9E61.1010306@cisco.com> <4F0DD063.5090103@tana.it> <4F0E0A7E.1040905@isdg.net> <Pine.GSO.4.62.1201111726390.13909@spaz.oit.wmich.edu> <4F10BEED.7050207@mail-abuse.org>
In-Reply-To: <4F10BEED.7050207@mail-abuse.org>
Content-Type: text/plain; charset="UTF-8"; format="flowed"
Content-Transfer-Encoding: 7bit
Subject: Re: [spfbis] Local macros strike again, was Suggestion...
X-BeenThere: spfbis@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: SPFbis discussion list <spfbis.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/spfbis>, <mailto:spfbis-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/spfbis>
List-Post: <mailto:spfbis@ietf.org>
List-Help: <mailto:spfbis-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/spfbis>, <mailto:spfbis-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 14 Jan 2012 01:42:55 -0000
Douglas Otis wrote: > Dear Hector, > > This was simply explaining the impact caused by a change Wayne Schlitt > made to host name limits in his SPF library. He restricted the number > of host names resolved to 5. This caused a problem for t-online.de who > never published SPF records but were subjected to "default" SPF records > such as "a mx/24" and that had 8 hosts in their MX RRset, for example. :^( Doug, Since I'm not familiar with the idea of a "default" SPF record, I don't quite understand why a receiver would applied a "SPF default" to a domain that did make any SPF explicit declaration. Why would you not expect to see problems with this? If this part of the specification? That said, what we have (in our package) is a macro-based filtering language that includes a macro called DIP for DOMAIN::IP association. Its a lightweight LMAP rule that sysops can add to their filters. We recommend to add them for KNOWN transactions that do not have SPF records and only do so if its clear to them that a DIP would accurately apply. These are the DIP rules I have added over the years for our SMTP server: ;------------------------------------------------------------ Reason DIP whitelisted ;------------------------------------------------------------ accept if %DIP% = above.proper.com[208.184.76.39] accept if %DIP% = bbsnets.com[66.8.157.90] accept if %DIP% = dlois.com[216.220.225.104] accept if %DIP% = fbg.collection.com[71.40.6.42] accept if %DIP% = fbg.collection.com[71.40.6.43] accept if %DIP% = hello.sd.dreamhost.com[66.33.201.150] accept if %DIP% = ietf.org[132.151.6.22] accept if %DIP% = imc.org[208.184.76.39] accept if %DIP% = isdg.net[208.247.131.9] accept if %DIP% = jck.com[209.187.148.211] accept if %DIP% = lists.dsafe.org[66.33.206.23] accept if %DIP% = lists.php.net[216.92.131.4] accept if %DIP% = lists.xml.org[209.202.168.102] accept if %DIP% = lists.xml.org[209.202.168.106] accept if %DIP% = mail.imc.org[207.182.41.81] accept if %DIP% = mail.imc.org[208.184.76.39] accept if %DIP% = mail.songbird.com[72.52.113.17] accept if %DIP% = maximus.com[12.150.181.2] accept if %DIP% = mmx.engelschall.com[195.27.130.252] accept if %DIP% = nic.fr[192.134.7.248] accept if %DIP% = orgill.com[204.118.96.135] accept if %DIP% = republico.estv.ipv.pt[193.137.7.30] accept if %DIP% = tbsp.com[173.196.180.194] accept if %DIP% = tclbbs.com[68.252.52.41] accept if %DIP% = tclbbs.com[68.252.52.42] accept if %DIP% = tclbbs.com[68.252.52.43] accept if %DIP% = tclbbs.com[68.252.52.44] accept if %DIP% = tclbbs.com[68.252.52.45] accept if %DIP% = tclbbs.com[68.252.52.46] accept if %DIP% = v2.listbox.com[207.8.214.5] accept if %DIP% = v2.listbox.com[207.8.214.6] accept if %DIP% = v2.listbox.com[208.58.1.195] accept if %DIP% = wingate.com[202.180.113.230] accept if %DIP% = ww-bbs.com[63.168.37.2] accept if %DIP% = www1.ietf.org[132.151.6.22] Note, these are ACCEPTS, so there is no harm per se compared to DIP Reject rules. Similarly, for EHLO/HELP LMAP checks, we provide active examples in the default filter script file for rules that apply to us: ;------------------------------------------------------------ Reason HELO/EHLO mismatch ;------------------------------------------------------------ ; The following rules basically says that only the machine ; at 208.247.131.* are allowed to use the domains listed ; as part of the HELO/EHLO command. These are specifically ; for SSI. You should add your own domains with the IP address ; of where WCSMTP is running using similar rejection rules. Reject if .santronics.com in .%CDN% and %CIP% !in 208.247.131.* Reject if .winserver.com in .%CDN% and %CIP% !in 208.247.131.* Reject if .isdg.net in .%CDN% and %CIP% !in 208.247.131.* Reject if .catinthebox.net in .%CDN% and %CIP% !in 208.247.131.* Again these "default", SPF-like rules SHOULD only applied where there is precise knowledge. I can't envision a general "SPF Default" rule applicable to all non-SPF domains. Is there such a thing? -- Hector Santos, CTO http://www.santronics.com http://santronics.blogspot.com
- [spfbis] Suggestion for an additional deliverable Murray S. Kucherawy
- Re: [spfbis] Suggestion for an additional deliver… Dave CROCKER
- Re: [spfbis] Suggestion for an additional deliver… SM
- Re: [spfbis] Suggestion for an additional deliver… Scott Kitterman
- Re: [spfbis] Suggestion for an additional deliver… Commerco WebMaster
- Re: [spfbis] Suggestion for an additional deliver… Hector Santos
- Re: [spfbis] Suggestion for an additional deliver… Dotzero
- Re: [spfbis] Suggestion for an additional deliver… Hector Santos
- Re: [spfbis] Suggestion for an additional deliver… Hector Santos
- Re: [spfbis] Suggestion for an additional deliver… Alessandro Vesely
- Re: [spfbis] Suggestion for an additional deliver… Scott Kitterman
- Re: [spfbis] Suggestion for an additional deliver… Murray S. Kucherawy
- Re: [spfbis] Suggestion for an additional deliver… Murray S. Kucherawy
- Re: [spfbis] Suggestion for an additional deliver… Murray S. Kucherawy
- Re: [spfbis] Suggestion for an additional deliver… Murray S. Kucherawy
- Re: [spfbis] Suggestion for an additional deliver… Scott Kitterman
- Re: [spfbis] Suggestion for an additional deliver… Dave CROCKER
- [spfbis] Augmenting SPF with additional Email tec… Hector Santos
- Re: [spfbis] Suggestion for an additional deliver… Alessandro Vesely
- Re: [spfbis] Suggestion for an additional deliver… Stuart Gathman
- Re: [spfbis] Suggestion for an additional deliver… Alessandro Vesely
- Re: [spfbis] Suggestion for an additional deliver… Hector Santos
- Re: [spfbis] Suggestion for an additional deliver… Murray S. Kucherawy
- Re: [spfbis] Suggestion for an additional deliver… Murray S. Kucherawy
- Re: [spfbis] Suggestion for an additional deliver… Scott Kitterman
- [spfbis] A-R vs SPF-R, was Suggestion for an addi… Alessandro Vesely
- Re: [spfbis] Suggestion for an additional deliver… Douglas Otis
- Re: [spfbis] Suggestion for an additional deliver… Hector Santos
- Re: [spfbis] Suggestion for an additional deliver… Hector Santos
- Re: [spfbis] Suggestion for an additional deliver… Douglas Otis
- Re: [spfbis] Suggestion for an additional deliver… Hector Santos
- Re: [spfbis] Suggestion for an additional deliver… Douglas Otis
- Re: [spfbis] Suggestion for an additional deliver… Hector Santos
- Re: [spfbis] Local macros strike again, was Sugge… Scott Kitterman
- Re: [spfbis] Suggestion for an additional deliver… Philip Gladstone
- Re: [spfbis] Suggestion for an additional deliver… Stuart D Gathman
- Re: [spfbis] Suggestion for an additional deliver… Hector Santos
- Re: [spfbis] Suggestion for an additional deliver… Douglas Otis
- Re: [spfbis] Suggestion for an additional deliver… Hector Santos
- Re: [spfbis] Suggestion for an additional deliver… Douglas Otis
- [spfbis] HardFail Marking vs HardFail Rejects Hector Santos
- Re: [spfbis] Suggestion for an additional deliver… Alessandro Vesely
- [spfbis] Local macros strike again, was Suggestio… Alessandro Vesely
- Re: [spfbis] Local macros strike again, was Sugge… Hector Santos
- Re: [spfbis] Local macros strike again, was Sugge… Philip Gladstone
- Re: [spfbis] Local macros strike again, was Sugge… Douglas Otis
- Re: [spfbis] Local macros strike again, was Sugge… Scott Kitterman
- Re: [spfbis] Local macros strike again, was Sugge… Philip Gladstone
- Re: [spfbis] Local macros strike again, was Sugge… Alessandro Vesely
- Re: [spfbis] Local macros strike again, was Sugge… Hector Santos
- Re: [spfbis] Local macros strike again, was Sugge… Derek Diget
- Re: [spfbis] Local macros strike again, was Sugge… Murray S. Kucherawy
- Re: [spfbis] Local macros strike again, was Sugge… Hector Santos
- Re: [spfbis] Local macros strike again, was Sugge… Hector Santos
- [spfbis] Section 10.1 Processing Limits Hector Santos
- Re: [spfbis] Section 10.1 Processing Limits Scott Kitterman
- Re: [spfbis] Section 10.1 Processing Limits Derek Diget
- Re: [spfbis] Section 10.1 Processing Limits Hector Santos
- Re: [spfbis] Section 10.1 Processing Limits Scott Kitterman
- Re: [spfbis] Section 10.1 Processing Limits Hector Santos
- Re: [spfbis] Section 10.1 Processing Limits Scott Kitterman
- Re: [spfbis] Section 10.1 Processing Limits Murray S. Kucherawy
- Re: [spfbis] Section 10.1 Processing Limits Hector Santos
- Re: [spfbis] Section 10.1 Processing Limits Scott Kitterman
- [spfbis] SPF metrics, was Limits Alessandro Vesely
- Re: [spfbis] Section 10.1 Processing Limits Hector Santos
- Re: [spfbis] Section 10.1 Processing Limits Hector Santos
- Re: [spfbis] Local macros strike again, was Sugge… Douglas Otis
- Re: [spfbis] Local macros strike again, was Sugge… Hector Santos
- Re: [spfbis] Local macros strike again, was Sugge… Douglas Otis
- Re: [spfbis] Local macros strike again, was Sugge… Hector Santos
- Re: [spfbis] Local macros strike again, was Sugge… Philip Gladstone
- Re: [spfbis] Local macros strike again, was Sugge… Scott Kitterman
- Re: [spfbis] Local macros strike again, was Sugge… Murray S. Kucherawy
- Re: [spfbis] Local macros strike again, was Sugge… Hector Santos
- Re: [spfbis] Local macros strike again, was Sugge… Hector Santos
- Re: [spfbis] Local macros strike again, was Sugge… Hector Santos
- Re: [spfbis] Local macros strike again, was Sugge… Hector Santos
- Re: [spfbis] Local macros strike again, was Sugge… Philip Gladstone
- Re: [spfbis] Local macros strike again, was Sugge… Commerco WebMaster