spf-discuss
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Unified SPF: Example for dialup ISP

2004-06-18 13:37:55
from [Meng Weng Wong] [Permanent Link] 
On Fri, Jun 18, 2004 at 01:42:21PM -0400, John Glube wrote:
| 
| Can you perhaps elaborate further on this point,
| so we can better understand your vision of how
| this will all come together?
| 

Use Case 3: dialup ISP

 example.net is an ISP with a web server, a dialin pool, and
 an MX pool.  This is an example that begins to approach the
 complexity seen in the real world.

 Web server:

        example.net A   192.0.2.1
                        192.0.2.1 PTR example.net
    www.example.net A   192.0.2.1

 Dialin pool:

      3-20.dialin.example.net A  192.0.3.20
                                 192.0.3.20 PTR 3-20.dialin.example.net

      3-21.dialin.example.net A  192.0.3.21
                                 192.0.3.21 PTR 3-21.dialin.example.net

      3-22.dialin.example.net A  192.0.3.22
                                 192.0.3.22 PTR 3-22.dialin.example.net

      3-23.dialin.example.net A  192.0.3.23
                                 192.0.3.23 PTR 3-23.dialin.example.net

 MX pool:

   example.net MX 10 a.mx.example.net
                     a.mx.example.net A 192.0.2.10
                                        192.0.2.10 PTR a.mx.example.net
   example.net MX 11 b.mx.example.net
                     b.mx.example.net A 192.0.2.11
                                        192.0.2.11 PTR b.mx.example.net

 Dialin users are expected to configure their MUAs to send
 mail through smtp.example.net.

   smtp.example.net A 192.0.2.10
   smtp.example.net A 192.0.2.11

 When mail is sent, in the common case,

    192.0.2.10 sends mail with
      HELO a.mx.example.net
      MAIL FROM:<user(_at_)example(_dot_)net>
      From: <user(_at_)example(_dot_)net>

    192.0.2.11 sends mail with
      HELO b.mx.example.net
      MAIL FROM:<user(_at_)example(_dot_)net>
      From: <user(_at_)example(_dot_)net>

                           * * *
                        SPF Classic

SPF Classic requires these four SPF records:

        example.net   TXT  "v=spf1 a mx -all"
    www.example.net   TXT  "v=spf1 a    -all"
   a.mx.example.net   TXT  "v=spf1 a    -all"
   b.mx.example.net   TXT  "v=spf1 a    -all"

The first is the important one; the second is there to
prevent spoofing of the www address; the third and fourth
are for HELO fallback, for when a.mx and b.mx need to send
NDNs with null MAIL FROM:<>.

                           * * *
     "Am I an MTA Or Not?": MTAMark / Selective Sender

MTAMark asks that network owners indicate whether an IP
address is an MTA or not.  SPF-used-as-MTAMark would require
these additional records to cover the dialin pool:

   3-20.dialin.example.net TXT "v=spf1 -all"
   3-21.dialin.example.net TXT "v=spf1 -all"
   3-22.dialin.example.net TXT "v=spf1 -all"
   3-23.dialin.example.net TXT "v=spf1 -all"

Personally, I don't think the above should be necessary.  I
think that if you get mail from a return-path that has only
an A record and neither an MX record nor an SPF record, you
should assume that it's not meant to be an MTA.  This rule
subsumes the MTAMark semantic.

                           * * *
                      HELO: CSV / DRIP

SPF-used-as-CSV/DRIP makes use of the existing records
   a.mx.example.net   TXT  "v=spf1 a    -all"
   b.mx.example.net   TXT  "v=spf1 a    -all"

                           * * *
                       PRA: SenderID

SPF-used-as-CallerID (which is now SenderID) covers the
Purported Responsible Address found in the headers:

    From: <user(_at_)example(_dot_)net>

Now, let's see what happens when a user(_at_)example(_dot_)net wants to
"legitimately forge" another email address:

    From: <my-other-email-address-is-at(_at_)hotmail(_dot_)com>

Suppose the MUA injects with

    MAIL FROM:<my-other-email-address-is(_at_)hotmail(_dot_)com>

Under Classic SPF, the ISP would have to SRS the
return-path on further deliveries, turning it into:

    MAIL 
FROM:<SRS0=LKl+=JL=hotmail(_dot_)com=my-other-email-address-is(_at_)example(_dot_)net>

  (The above transformation can be performed using perl
  -MMail::SRS -le 'my $srs = Mail::SRS->new(Secret=>["my
  secret"]); print for $srs->forward(shift, shift);'
  my-other-email-address-is(_at_)hotmail(_dot_)com user(_at_)example(_dot_)net)

To satisfy SenderID, the ISP would have to make sure the
Sender header was present, and if it was not present, to add
it:

    Sender: <user(_at_)example(_dot_)net>

(We assume the ISP knows who the injecting user is, thanks
to SMTP AUTH or a PPPOE login or someting like that.  If we
do not know, for "user" substitute a generic localpart such
as "mailer-dialup-2-30".)

With the SUBMITTER extension to SenderID, the return-path
would be:

    MAIL FROM:<my-other-email-address-is(_at_)hotmail(_dot_)com> 
SUBMITTER=<user(_at_)example(_dot_)net>

or even, if the ISP wants to play it safe and SRS the return path:

    MAIL 
FROM:<SRS0=LKl+=JL=hotmail(_dot_)com=my-other-email-address-is(_at_)example(_dot_)net>
 SUBMITTER=<user(_at_)example(_dot_)net>
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: Unified SPF: example with single domain, multiple machines, Karl Prince
Next by Date:  Re: Unified SPF: example with single domain, multiple machines, Meng Weng Wong
Previous by Thread:  Re: Unified SPF: example with single domain, multiple machines, Koen Martens
Next by Thread:  Re: Unified SPF: example with single domain, multiple machines, Karl Prince
Indexes:  [Date] [Thread] [Top] [All Lists]