spf-discuss
[Top] [All Lists]

Re: Re: SPF and complexity

2004-05-11 12:10:21
On Tue, 11 May 2004, Tony Finch wrote:

I also observe that any configuration system flexible enough to be useful
in all the weird and wonderful email setups out there is likely to be
Turing complete; this has been demonstrated for Sendmail and Exim, and is
probably the case for Postfix.

It is important that SPF not be Turing complete - because mail recipients
do not want to execute arbitrary code specified by the sender (ignore
for the purposes of this argument the tendency of end users to execute
attachments labeled "Do not open").

However, this means that while SPF covers 99.9% of mail sending situations,
there are some corner cases that aren't covered without adding an 
ever growing arsenal of specialized mechanisms or using the exists
mechanism with a custom DNS server (see below).

After thinking about it, I believe adding something like a DVP mechanism
to SPF provides complete generality without endangering mail recipients.

Here is a hypothetical example to illustrate.  Suppose I have end users
who normally email from the office:

v=spf1 mx -all

However, they go on sales trips to sites where they use a clients computers
to send email - hence they don't want to use SMTP AUTH and potentially leave
passwords on the clients machine.  So the SPF record is augmented 
temporarily while they are at the client:

v=spf1 mx include:client.com -all

However, DNS caching makes this kind of temporary update unreliable.
So, instead, there is a DVP server to handle such cases:

v=spf1 mx dvp:dvpserver.example.com -all

The DVP server is now consulted for emails which do not originate at
the home office, and can respond in realtime.  The TCP connection is
way more expensive, but the sender bears the brunt of the cost, and
the sender makes the decision to deploy it because he needs the flexibility.

While we are limiting DNS lookups, we could count each DVP consultation
as, say, 5 DNS lookups.

Most likely, this idea won't make it into SPF v1.  So if it gets added
to v2, then clients that don't recognize the DVP mechanism will return
a neutral result.  This would reflect the how SPF would currently
such a situation:

v=spf1 mx ?all

It is true that the exists mechanism with a custom DNS server and a low
TTL accomplishes the same thing.  However, I submit the following:

1) It is harder to think about how to use exists to solve a problem
   - at least for me.  It is obvious to me how I would program
   a simple TCP server to answer yes or no given the same information.

2) There are no tools available to simply and safely construct a
   custom DNS server.  It would be handy if bind could recursively query
   an internal server for a specified subdomain, and if the internal
   server need not implement the full DNS protocol.

Objection 2 to using "exists" as a general escape mechanism could be
solved with a toolkit.  Objection 1 could be solved with practice 
and examples.  However, there is something to be said for a more 
expensive, but easy to understand and implement way to handle those
corner cases.

I would be happy to hear about tools that I could use to implement
a general purpose "exists" server without having to reinvent bind.

In any case, whether via exists and a custom DNS server, or via a dvp
mechanism, any Turing completeness should be on the senders side -
not the recipient.

-- 
              Stuart D. Gathman <stuart(_at_)bmsi(_dot_)com>
    Business Management Systems Inc.  Phone: 703 591-0911 Fax: 703 591-6154
"Confutatis maledictis, flamis acribus addictis" - background song for
a Microsoft sponsored "Where do you want to go from here?" commercial.


<Prev in Thread] Current Thread [Next in Thread>