Re: [spfbis] Question about SPF checks based on RFC 7208
Scott Kitterman <spf2@kitterman.com> Sun, 01 May 2016 01:08 UTC
Return-Path: <spf2@kitterman.com>
X-Original-To: spfbis@ietfa.amsl.com
Delivered-To: spfbis@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 38FD612B045 for <spfbis@ietfa.amsl.com>; Sat, 30 Apr 2016 18:08:56 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.002
X-Spam-Level:
X-Spam-Status: No, score=-2.002 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=kitterman.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 2nFAPRSlFPRc for <spfbis@ietfa.amsl.com>; Sat, 30 Apr 2016 18:08:53 -0700 (PDT)
Received: from mailout03.controlledmail.com (mailout03.controlledmail.com [208.43.65.50]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id CA22E12D1AD for <spfbis@ietf.org>; Sat, 30 Apr 2016 18:08:53 -0700 (PDT)
Received: from [192.168.111.103] (static-72-81-252-21.bltmmd.fios.verizon.net [72.81.252.21]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by mailout03.controlledmail.com (Postfix) with ESMTPSA id 940C2C40152; Sat, 30 Apr 2016 20:08:52 -0500 (CDT)
DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=kitterman.com; s=201409; t=1462064932; bh=buE9yMxuLcI7BksK7t/m/y2qFIlcMDfFH0AUdZLnx4A=; h=In-Reply-To:References:Subject:From:Date:To:From; b=nG4wpEs7hjrc9sDlEfmc2x1SyLrJrhipNwjW+qr5XOoMBRkyNHk4WtjcPzbL2QUFQ jl5gJRC4hSdxPraoR07yvhqKnW+JZ8B1wyTY0qbiTjls32uJj21Up00Nnx9v/5J/Oo 1GOdPlNDL0lY3CGjOpajvRdQG2hkpvVzVFP2Z23s=
User-Agent: K-9 Mail for Android
In-Reply-To: <002101d1a342$c93e3000$5bba9000$@iname.com>
References: <002101d1a342$c93e3000$5bba9000$@iname.com>
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit
Content-Type: text/plain; charset="UTF-8"
From: Scott Kitterman <spf2@kitterman.com>
Date: Sat, 30 Apr 2016 21:08:50 -0400
To: spfbis@ietf.org
Message-ID: <255DF248-2870-4727-9F10-259598592509@kitterman.com>
Archived-At: <http://mailarchive.ietf.org/arch/msg/spfbis/eaaevRXAzq2YO8o8IMJ8aHb4wxI>
Subject: Re: [spfbis] Question about SPF checks based on RFC 7208
X-BeenThere: spfbis@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: SPFbis discussion list <spfbis.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/spfbis>, <mailto:spfbis-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/spfbis/>
List-Post: <mailto:spfbis@ietf.org>
List-Help: <mailto:spfbis-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/spfbis>, <mailto:spfbis-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 01 May 2016 01:08:56 -0000
On April 30, 2016 8:45:40 PM EDT, Frank Bulk <frnkblk@iname.com> wrote: >While working through a SPF failure for a message sent from our >IPv6-capable >email server (for premieronline.net), I ran an across an SPF checker >(http://vamsoft.com/support/tools/spf-policy-tester) that had a hard >fail >when these values were entered: > 2607:fe28:0:4000::20 > fbulk@premieronline.net > >premieronline.net's record is as follow: > v=spf1 mx ip4:96.31.0.0/24 ip6:2607:fe28:0:1000::/64 >ip6:2607:fe28:0:4000::/64 ~all > >The tool tries to work through the MX records of premieronline.net, but >for >some reason it specifically queries for an AAAA for each MX record, of >which >we don't have one (because our inbound email gateway does not yet >support >IPv6). Since we have four MX records, it work through two of them >(which >both fail) and then the tool hard fails saying that, > "The maximum void DNS lookup limit of 2 has been exceeded during the >evaluation (see RFC7208 Section 4.6.4.)." > >This is the only SPF tool to fail in this way, which makes we wonder if >it's >the site's SPF checking methodology for RFC 7208 section 5.4 is >correct. If >so, and other email gateways have implemented their SPF checking in the >same >way, there could be more incorrect SPF evaluation checks out there. If >the >site's SPF checking methodology is incorrect, can you point me to a >section >in any RFC that would suggest a better/proper approach? > >Either way, does RFC 7208 need some clarification on this matter? My >guess >is that "it performs an address lookup on each MX name" is not >equivalent to >"check for an AAAA on each MX name and check for an A on each MX name", >but >I'm not sure. > >Frank > > >5.4. "mx" > > This mechanism matches if <ip> is one of the MX hosts for a domain > name. > > mx = "mx" [ ":" domain-spec ] [ dual-cidr-length ] > > check_host() first performs an MX lookup on the <target-name>. Then > it performs an address lookup on each MX name returned. The <ip> is > compared to each returned IP address. To prevent denial-of-service > (DoS) attacks, the processing limits defined in Section 4.6.4 MUST be > followed. If the MX lookup limit is exceeded, then "permerror" is > returned and the evaluation is terminated. If any address matches, > the mechanism matches. > > Note regarding implicit MXes: If the <target-name> has no MX record, > check_host() MUST NOT apply the implicit MX rules of [RFC5321] by > querying for an A or AAAA record for the same name. I think they are just wrong. If either an IPv4 or IPv6 address is returned it's not a void look up. That's described at the end of 4.6.4 and is, I think clear. I'd report it as a bug. Scott K
- Re: [spfbis] Question about SPF checks based on R… S Moonesamy
- Re: [spfbis] Question about SPF checks based on R… Frank Bulk
- [spfbis] Question about SPF checks based on RFC 7… Frank Bulk
- Re: [spfbis] Question about SPF checks based on R… Scott Kitterman
- Re: [spfbis] Question about SPF checks based on R… Kurt Andersen
- Re: [spfbis] Question about SPF checks based on R… Stuart Gathman
- Re: [spfbis] Question about SPF checks based on R… Scott Kitterman
- Re: [spfbis] Question about SPF checks based on R… Stuart D. Gathman
- Re: [spfbis] Question about SPF checks based on R… Scott Kitterman
- Re: [spfbis] Question about SPF checks based on R… frnkblk
- Re: [spfbis] Question about SPF checks based on R… S Moonesamy
- Re: [spfbis] Question about SPF checks based on R… Kurt Andersen
- Re: [spfbis] Question about SPF checks based on R… S Moonesamy
- Re: [spfbis] Question about SPF checks based on R… Murray S. Kucherawy
- Re: [spfbis] Question about SPF checks based on R… Kurt Andersen
- Re: [spfbis] Question about SPF checks based on R… Stuart Gathman
- Re: [spfbis] Question about SPF checks based on R… Scott Kitterman