ietf-smtp
[Top] [All Lists]

Re: SMTP Mail Hosting and TMS Recommendations

2005-06-20 12:39:24

Small follow up to answer a specific question you had:

----- Original Message -----
From: "Bruce Lilly" <blilly(_at_)erols(_dot_)com>
To: <ietf-smtp(_at_)imc(_dot_)org>
Sent: Monday, June 20, 2005 1:10 PM
Subject: Re: SMTP Mail Hosting and TMS Recommendations


No. It is known that some hare-brained schemes are harmful (e.g. issue
a test message using a server specified as an MX host for the MAIL FROM
domain (if not a null reverse path); hint: consider what happens if both
servers do that).  No "R&D" is needed to see that some schemes are
harmful.

First, for the non-listening audience,  you are referring to what is called
a CBV (Call Back Verifier).  I 100% uncategorically disagree with you on it
technical merits especially since you have little detailed implementation
experience with it as evident by the statement.

Nonetheless, I can tell you what the current CBV implementation method is to
address your parenthetically embedded Hint statement:

            "Consider what happens if both servers do that."

Your hint refers to a "loopback" issue often incorrectly stated by CBV
opponents.

In short, the answer is that the CBV will use a NULL return path or
"PostMaster" address in some implementations for the CBV session.  Hence the
target CBV host with its own CBV support will not have an return path
address to perform a CBV loopback.

In addition, the CBV is used as a final fallback check, and for us, the CBV
resolves a majority of the SPF spoofing issues or SPF relaxed provision
issues.  I won't go into logic details since probably aren't listening
anyway, but I would recommend that you research the issues yourself before
commenting further.

Here is a simple current real life example on how it traps SPF relaxed
policies.  In the example below various test is perform, including an SPF
test which results in a neutral policy.  Once of the flaws in SPF is that it
only validates the DOMAIN part of the Return Path address.   A neutral will
trigger a CBV check and the results show it is an invalid address at the
domain host.

20050619 16:05:36 version    : 2.01 / 1.62
20050619 16:05:36 calltype   : SMTP
20050619 16:05:36 state      : rcpt
20050619 16:05:36 srvdom     : winserver.com
20050619 16:05:36 srvip      : 208.247.131.9
20050619 16:05:36 cip        : 219.249.179.187
20050619 16:05:36 cdn        : 219.249.179.187
20050619 16:05:36 from       : <wbeelfasicom(_at_)maloney(_dot_)org>
20050619 16:05:36 rcpt       : <andrea(_dot_)santos(_at_)santronics(_dot_)com>
20050619 16:05:36 testorder  : FLT RBL SPF CEP CBV
20050619 16:05:36 sapfilter  : pass (time:78)
20050619 16:05:36 saprbl     : testing 187.179.249.219.sbl.spamhaus.org
20050619 16:05:36 saprbl     : testing 187.179.249.219.list.dsbl.org
20050619 16:05:36 saprbl     : testing 187.179.249.219.bl.spamcop.net
20050619 16:05:36 saprbl     : pass (time:265)
20050619 16:05:37 sapspf     : v=spf1 ip4:205.158.62.0/24
                               ip4:208.36.123.0/24
                               ip4:203.86.166.0/24
                               ip4:210.177.227.128/28
                               ip4:203.86.162.160/28
                               ip4:210.184.92.208/29
                               ip4:216.10.106.0/24 ?all
20050619 16:05:37 sapspf     : neutral (time:141)
20050619 16:05:39 sapcbv     : total mx records: 5
20050619 16:05:39 try mx     : neti-outblaze-com.mr.outblaze.com
                               ip: 205.158.62.229
20050619 16:05:39 # connecting to 205.158.62.229
20050619 16:05:39 S: 220 spf6-1s.us4.outblaze.com ESMTP Postfix
20050619 16:05:39 C: NOOP WCSAP v2.01 Wildcat! Sender Authentication
                     Protocol http://www.santronics.com
20050619 16:05:39 S: 250 Ok
20050619 16:05:39 C: HELO mail.winserver.com
20050619 16:05:40 S: 250 spf6-1s.us4.outblaze.com
20050619 16:05:40 C: MAIL FROM: <>
20050619 16:05:40 S: 250 Ok
20050619 16:05:40 C: RCPT TO: <wbeelfasicom(_at_)maloney(_dot_)org>
20050619 16:05:41 S: 550 <wbeelfasicom(_at_)maloney(_dot_)org>: User unknown
20050619 16:05:41 C: QUIT
20050619 16:05:41 sapcbv     : 550
20050619 16:05:41 result     : reject (0)
20050619 16:05:41 smtp code  : 550
20050619 16:05:41 reason     : Rejected by WCSAP CBV
20050619 16:05:41 wcsap finish (4812 msecs)

--
Hector Santos, Santronics Software, Inc.
http://www.santronics.com