On Sun, Dec 07, 2003 at 07:56:29PM +0100, Philipp Morger wrote:
| OK... I give it a shot...
sorry, i didn't get to look at this message until now.
|
| One note for developers, or the RFC-Editor of SPF, it might look obvious but
I want
| to point out that there might be a certain "hole" in the ptr mechanism:
|
| assume I know that MTA mta.example.com allows mail from
ptr:backuphost.example.com - when
| I enter a PTR for my IP that points to backuphost.example.com then I'm in.
|
| You have to verify that the IP's PTR also has a matching forward record!
(which in
| turn might IMHO an A, AAAA or CNAME record)
|
that's true; i have put in some pseudocode in the latest version of the
draft to explain PTR forward validation.
5.4 'ptr'
This mechanism tests if the <sending-host>'s name is within a
particular domain.
PTR = 'ptr' [ ':' domain-spec ]
First the <sending-host>'s name is looked up using this procedure:
perform a PTR lookup against the <sending-host>'s IP. For each
record returned, validate the host name by looking up its IP address.
If the <sending-host>'s IP is among the returned IP addresses, then
that host name is validated.
Pseudocode:
PTR-lookup(sending-host_IP) -> sending-host_names
for each name in (sending-host_names) {
A-lookup(name) -> IP_addresses
if the sending-host_IP is one of the IP_addresses {
validated_sending-host_names += name
}
}
Check all validated hostnames to see if they end in the <target-name>
domain. If any do, this mechanism matches. If no validated hostname
can be found, or if none of the validated hostnames end in the
<target-name>, this mechanism fails to match.
Pseudocode:
for each name in (validated_sending-host_names) {
if name ends in <domain-spec>, return match.
if name is <domain-spec>, return match.
}
This mechanism matches if the <target-name> is a parent node of the
<sending-host>, or if the <target-name> and the <sending-host> are
the same. For example: "mail.example.com" is within the domain
"example.com", but "mail.bad-example.com" is not. If a validated
hostname is the <target-name>, a match results.
-------
Sender Permitted From: http://spf.pobox.com/
Archives at http://archives.listbox.com/spf-discuss/current/
Latest draft at http://spf.pobox.com/draft-mengwong-spf-02.9.3.txt
To unsubscribe, change your address, or temporarily deactivate your
subscription,
please go to
http://v2.listbox.com/member/?listname(_at_)©#«Mo\¯HÝÜîU;±¤Ö¤Íµø?¡