spf-discuss
[Top] [All Lists]

RE: The New SPF: introducing RFROM

2004-05-25 11:56:17
From: Meng Weng Wong
Sent: Monday, May 24, 2004 9:55 PM


On Tue, May 25, 2004 at 12:30:38AM +0100, Roy Badami wrote:
| >>>>> "Greg" == Greg Connor <gconnor(_at_)nekodojo(_dot_)org> writes:
|
|     Greg> Actually Sender: is not as obscure
|
| I'll grant that it's more widely used that Resent-*
|
| But in a world where most MUA's submit by (unauthenticated) SMTP, and
| don't even allow the user to separately configure the header and
| envelope sender, I'll maintain that the ability to specify multiple
| identities in the headers is "relatively obscure".
|

In my ideal scenario, a user would submit via SMTP AUTH to the MTA,
and the authenticated address would be in the RFROM.  That would be
independent of what the MUA submitted in the return-path.

This is interesting idea.  As I understand it, the first hop does not have
an RFROM and this forces SPF to use MAIL FROM:.  Since as dedicated 2821
zealots <grin>, what we would like to insure is that MAIL FROM: is not a
forgery when it arrives at the final recipient.  Requiring the first hop to
leave off RFROM by using MUST NOT language would force the first SPF check
to be done on MAIL FROM: and help insure that.  On the other hand, depending
on how the PRD extraction algorithm works, if RFROM on the first hop would
always be identical to MAIL FROM:, then this is unnecessary.  Clearly, we
need to understand how PRD (PRA) extraction works if we are to intelligently
consider the advantages and weaknesses of this protocol.

Let's assume that the foreign domain has neither SMTP AUTH nor a VPN set up
to allow their employees to send business mail in the preferred manner.  To
get around this deficiency, they list the home ISP user accounts of their
key employees in their domain SPF record.  One of these privileged users
configures their MUA to set From: and Reply-To: to be their address at the
foreign domain, for example BigKahuna(_at_)BigCompany(_dot_)com(_dot_)  The 
user connects to
their ISP, authenticates by POP-before-SMTP as JoeSchmoe(_at_)ISP(_dot_)com and
transmits the message to the MSA via SMTP.  The MSA now has a message that
it knows came from JoeSchmoe(_at_)ISP(_dot_)com, but asks to be sent on behalf 
of Mr.
Big Kahuna at a foreign domain.

My very limited understanding of the PRD extraction algorithm suggests that
the MSA should leave the "forged" headers alone, set MAIL FROM: to be the
FROM: address and intentionally _not_ use RFROM.  This will force the first
recipient to do the SPF check on MAIL FROM:, which will validate ISP.com (or
perhaps even JoeSchmoe(_at_)ISP(_dot_)com) as a designated sender for 
BigCompany.com.
When the SPF check passes, the first recipient moves on to DATA and then
does the PRD (PRA) extraction from the headers.  Here's an example of what
the headers might look like:

Received: from msa08.mail.ISP.com (msa08.mail.ISP.com [xxx.xxx.xxx.xxx])
        by mta04.mail.ISP.com (8.12.10/8.12.2) with SMTP id zzzzz
        for <recipient-address>; Tue, 25 May 2004 13:37:45 -0500 (CDT)
Received: from JoeSchmoe (pool-yyyy.ISP.COM [xxx.xxx.xxx.xxx])
        by msa08.mail.ISP.com (8.12.10/8.12.2) with SMTP id yyyyy
        for <recipient-address>; Tue, 25 May 2004 13:37:41 -0500 (CDT)
Reply-To: <BigKahuna(_at_)BigCompany(_dot_)com>
From: "Big Kahuna" <BigKahuna(_at_)BigCompany(_dot_)com>


Now, what does the PRA extraction algorithm do in a case like this?  Does
the PRA for that message resolve to BigKahuna(_at_)BigCompany(_dot_)com,
JoeSchmoe(_at_)ISP(_dot_)com or mta04(_at_)mail(_dot_)ISP(_dot_)com?

--

Seth Goodman


<Prev in Thread] Current Thread [Next in Thread>