On Fri, Jun 18, 2004 at 01:42:21PM -0400, John Glube wrote:
|
| Can you perhaps elaborate further on this point,
| so we can better understand your vision of how
| this will all come together?
|
Use Case 3: dialup ISP
example.net is an ISP with a web server, a dialin pool, and
an MX pool. This is an example that begins to approach the
complexity seen in the real world.
Web server:
example.net A 192.0.2.1
192.0.2.1 PTR example.net
www.example.net A 192.0.2.1
Dialin pool:
3-20.dialin.example.net A 192.0.3.20
192.0.3.20 PTR 3-20.dialin.example.net
3-21.dialin.example.net A 192.0.3.21
192.0.3.21 PTR 3-21.dialin.example.net
3-22.dialin.example.net A 192.0.3.22
192.0.3.22 PTR 3-22.dialin.example.net
3-23.dialin.example.net A 192.0.3.23
192.0.3.23 PTR 3-23.dialin.example.net
MX pool:
example.net MX 10 a.mx.example.net
a.mx.example.net A 192.0.2.10
192.0.2.10 PTR a.mx.example.net
example.net MX 11 b.mx.example.net
b.mx.example.net A 192.0.2.11
192.0.2.11 PTR b.mx.example.net
Dialin users are expected to configure their MUAs to send
mail through smtp.example.net.
smtp.example.net A 192.0.2.10
smtp.example.net A 192.0.2.11
When mail is sent, in the common case,
192.0.2.10 sends mail with
HELO a.mx.example.net
MAIL FROM:<user(_at_)example(_dot_)net>
From: <user(_at_)example(_dot_)net>
192.0.2.11 sends mail with
HELO b.mx.example.net
MAIL FROM:<user(_at_)example(_dot_)net>
From: <user(_at_)example(_dot_)net>
* * *
SPF Classic
SPF Classic requires these four SPF records:
example.net TXT "v=spf1 a mx -all"
www.example.net TXT "v=spf1 a -all"
a.mx.example.net TXT "v=spf1 a -all"
b.mx.example.net TXT "v=spf1 a -all"
The first is the important one; the second is there to
prevent spoofing of the www address; the third and fourth
are for HELO fallback, for when a.mx and b.mx need to send
NDNs with null MAIL FROM:<>.
* * *
"Am I an MTA Or Not?": MTAMark / Selective Sender
MTAMark asks that network owners indicate whether an IP
address is an MTA or not. SPF-used-as-MTAMark would require
these additional records to cover the dialin pool:
3-20.dialin.example.net TXT "v=spf1 -all"
3-21.dialin.example.net TXT "v=spf1 -all"
3-22.dialin.example.net TXT "v=spf1 -all"
3-23.dialin.example.net TXT "v=spf1 -all"
Personally, I don't think the above should be necessary. I
think that if you get mail from a return-path that has only
an A record and neither an MX record nor an SPF record, you
should assume that it's not meant to be an MTA. This rule
subsumes the MTAMark semantic.
* * *
HELO: CSV / DRIP
SPF-used-as-CSV/DRIP makes use of the existing records
a.mx.example.net TXT "v=spf1 a -all"
b.mx.example.net TXT "v=spf1 a -all"
* * *
PRA: SenderID
SPF-used-as-CallerID (which is now SenderID) covers the
Purported Responsible Address found in the headers:
From: <user(_at_)example(_dot_)net>
Now, let's see what happens when a user(_at_)example(_dot_)net wants to
"legitimately forge" another email address:
From: <my-other-email-address-is-at(_at_)hotmail(_dot_)com>
Suppose the MUA injects with
MAIL FROM:<my-other-email-address-is(_at_)hotmail(_dot_)com>
Under Classic SPF, the ISP would have to SRS the
return-path on further deliveries, turning it into:
MAIL
FROM:<SRS0=LKl+=JL=hotmail(_dot_)com=my-other-email-address-is(_at_)example(_dot_)net>
(The above transformation can be performed using perl
-MMail::SRS -le 'my $srs = Mail::SRS->new(Secret=>["my
secret"]); print for $srs->forward(shift, shift);'
my-other-email-address-is(_at_)hotmail(_dot_)com user(_at_)example(_dot_)net)
To satisfy SenderID, the ISP would have to make sure the
Sender header was present, and if it was not present, to add
it:
Sender: <user(_at_)example(_dot_)net>
(We assume the ISP knows who the injecting user is, thanks
to SMTP AUTH or a PPPOE login or someting like that. If we
do not know, for "user" substitute a generic localpart such
as "mailer-dialup-2-30".)
With the SUBMITTER extension to SenderID, the return-path
would be:
MAIL FROM:<my-other-email-address-is(_at_)hotmail(_dot_)com>
SUBMITTER=<user(_at_)example(_dot_)net>
or even, if the ISP wants to play it safe and SRS the return path:
MAIL
FROM:<SRS0=LKl+=JL=hotmail(_dot_)com=my-other-email-address-is(_at_)example(_dot_)net>
SUBMITTER=<user(_at_)example(_dot_)net>