Re: [spfbis] Question about SPF checks based on RFC 7208

Scott Kitterman <spf2@kitterman.com> Sun, 01 May 2016 01:08 UTC

Return-Path: <spf2@kitterman.com>
X-Original-To: spfbis@ietfa.amsl.com
Delivered-To: spfbis@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 38FD612B045 for <spfbis@ietfa.amsl.com>; Sat, 30 Apr 2016 18:08:56 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.002
X-Spam-Level:
X-Spam-Status: No, score=-2.002 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=kitterman.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 2nFAPRSlFPRc for <spfbis@ietfa.amsl.com>; Sat, 30 Apr 2016 18:08:53 -0700 (PDT)
Received: from mailout03.controlledmail.com (mailout03.controlledmail.com [208.43.65.50]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id CA22E12D1AD for <spfbis@ietf.org>; Sat, 30 Apr 2016 18:08:53 -0700 (PDT)
Received: from [192.168.111.103] (static-72-81-252-21.bltmmd.fios.verizon.net [72.81.252.21]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by mailout03.controlledmail.com (Postfix) with ESMTPSA id 940C2C40152; Sat, 30 Apr 2016 20:08:52 -0500 (CDT)
DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=kitterman.com; s=201409; t=1462064932; bh=buE9yMxuLcI7BksK7t/m/y2qFIlcMDfFH0AUdZLnx4A=; h=In-Reply-To:References:Subject:From:Date:To:From; b=nG4wpEs7hjrc9sDlEfmc2x1SyLrJrhipNwjW+qr5XOoMBRkyNHk4WtjcPzbL2QUFQ jl5gJRC4hSdxPraoR07yvhqKnW+JZ8B1wyTY0qbiTjls32uJj21Up00Nnx9v/5J/Oo 1GOdPlNDL0lY3CGjOpajvRdQG2hkpvVzVFP2Z23s=
User-Agent: K-9 Mail for Android
In-Reply-To: <002101d1a342$c93e3000$5bba9000$@iname.com>
References: <002101d1a342$c93e3000$5bba9000$@iname.com>
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit
Content-Type: text/plain; charset=UTF-8
From: Scott Kitterman <spf2@kitterman.com>
Date: Sat, 30 Apr 2016 21:08:50 -0400
To: spfbis@ietf.org
Message-ID: <255DF248-2870-4727-9F10-259598592509@kitterman.com>
Archived-At: <http://mailarchive.ietf.org/arch/msg/spfbis/eaaevRXAzq2YO8o8IMJ8aHb4wxI>
Subject: Re: [spfbis] Question about SPF checks based on RFC 7208
X-BeenThere: spfbis@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: SPFbis discussion list <spfbis.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/spfbis>, <mailto:spfbis-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/spfbis/>
List-Post: <mailto:spfbis@ietf.org>
List-Help: <mailto:spfbis-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/spfbis>, <mailto:spfbis-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 01 May 2016 01:08:56 -0000


On April 30, 2016 8:45:40 PM EDT, Frank Bulk <frnkblk@iname.com>; wrote:
>While working through a SPF failure for a message sent from our
>IPv6-capable
>email server (for premieronline.net), I ran an across an SPF checker
>(http://vamsoft.com/support/tools/spf-policy-tester) that had a hard
>fail
>when these values were entered:
>	2607:fe28:0:4000::20
>	fbulk@premieronline.net
>
>premieronline.net's record is as follow:
>	v=spf1 mx ip4:96.31.0.0/24 ip6:2607:fe28:0:1000::/64
>ip6:2607:fe28:0:4000::/64 ~all
>
>The tool tries to work through the MX records of premieronline.net, but
>for
>some reason it specifically queries for an AAAA for each MX record, of
>which
>we don't have one (because our inbound email gateway does not yet
>support
>IPv6).  Since we have four MX records, it work through two of them
>(which
>both fail) and then the tool hard fails saying that,
>	"The maximum void DNS lookup limit of 2 has been exceeded during the
>evaluation (see RFC7208 Section 4.6.4.)."
>
>This is the only SPF tool to fail in this way, which makes we wonder if
>it's
>the site's SPF checking methodology for RFC 7208 section 5.4 is
>correct.  If
>so, and other email gateways have implemented their SPF checking in the
>same
>way, there could be more incorrect SPF evaluation checks out there.  If
>the
>site's SPF checking methodology is incorrect, can you point me to a
>section
>in any RFC that would suggest a better/proper approach?
>
>Either way, does RFC 7208 need some clarification on this matter?  My
>guess
>is that "it performs an address lookup on each MX name" is not
>equivalent to
>"check for an AAAA on each MX name and check for an A on each MX name",
>but
>I'm not sure.
>
>Frank
>
>
>5.4.  "mx"
>
>   This mechanism matches if <ip> is one of the MX hosts for a domain
>   name.
>
>   mx               = "mx"     [ ":" domain-spec ] [ dual-cidr-length ]
>
>   check_host() first performs an MX lookup on the <target-name>.  Then
>   it performs an address lookup on each MX name returned.  The <ip> is
>   compared to each returned IP address.  To prevent denial-of-service
>  (DoS) attacks, the processing limits defined in Section 4.6.4 MUST be
>   followed.  If the MX lookup limit is exceeded, then "permerror" is
>   returned and the evaluation is terminated.  If any address matches,
>   the mechanism matches.
>
>   Note regarding implicit MXes: If the <target-name> has no MX record,
>   check_host() MUST NOT apply the implicit MX rules of [RFC5321] by
>   querying for an A or AAAA record for the same name.

I think they are just wrong.  If either an IPv4 or IPv6 address is returned it's not a void look up.  That's described at the end of 4.6.4 and is, I think clear.  I'd report it as a bug.

Scott K