spf-discuss
[Top] [All Lists]

Re: Unified SPF: Example for dialup ISP

2004-06-18 14:31:44
On Fri, 18 Jun 2004 16:37:55 -0400, Meng Weng Wong wrote: in 
Use Case 3: dialup ISP

 example.net is an ISP with a web server, a dialin pool, and
 an MX pool.  This is an example that begins to approach the
 complexity seen in the real world.

 Web server:

        example.net A   192.0.2.1
                        192.0.2.1 PTR example.net
    www.example.net A   192.0.2.1

 Dialin pool:

      3-20.dialin.example.net A  192.0.3.20
                                 192.0.3.20 PTR 3-20.dialin.example.net

      3-21.dialin.example.net A  192.0.3.21
                                 192.0.3.21 PTR 3-21.dialin.example.net

      3-22.dialin.example.net A  192.0.3.22
                                 192.0.3.22 PTR 3-22.dialin.example.net

      3-23.dialin.example.net A  192.0.3.23
                                 192.0.3.23 PTR 3-23.dialin.example.net

 MX pool:

   example.net MX 10 a.mx.example.net
                   a.mx.example.net A 192.0.2.10
                                      192.0.2.10 PTR a.mx.example.net
   example.net MX 11 b.mx.example.net
                   b.mx.example.net A 192.0.2.11
                                        192.0.2.11 PTR b.mx.example.net

 Dialin users are expected to configure their MUAs to send
 mail through smtp.example.net.

   smtp.example.net A 192.0.2.10
   smtp.example.net A 192.0.2.11

 When mail is sent, in the common case,

    192.0.2.10 sends mail with
      HELO a.mx.example.net
      MAIL FROM:<user(_at_)example(_dot_)net>
      From: <user(_at_)example(_dot_)net>

    192.0.2.11 sends mail with
      HELO b.mx.example.net
      MAIL FROM:<user(_at_)example(_dot_)net>
      From: <user(_at_)example(_dot_)net>

                         * * *
                      SPF Classic

SPF Classic requires these four SPF records:

        example.net   TXT  "v=spf1 a mx -all"
    www.example.net   TXT  "v=spf1 a    -all"
   a.mx.example.net   TXT  "v=spf1 a    -all"
   b.mx.example.net   TXT  "v=spf1 a    -all"

The first is the important one; the second is there to
prevent spoofing of the www address; the third and fourth
are for HELO fallback, for when a.mx and b.mx need to send
NDNs with null MAIL FROM:<>.

                         * * *
     "Am I an MTA Or Not?": MTAMark / Selective Sender

MTAMark asks that network owners indicate whether an IP
address is an MTA or not.  SPF-used-as-MTAMark would require
these additional records to cover the dialin pool:

   3-20.dialin.example.net TXT "v=spf1 -all"
   3-21.dialin.example.net TXT "v=spf1 -all"
   3-22.dialin.example.net TXT "v=spf1 -all"
   3-23.dialin.example.net TXT "v=spf1 -all"

Personally, I don't think the above should be necessary.  I
think that if you get mail from a return-path that has only
an A record and neither an MX record nor an SPF record, you
should assume that it's not meant to be an MTA.  This rule
subsumes the MTAMark semantic.

<snip>

I disagree, with your proposed rule above for return-path 
without an MX or SPF, but with A (and matching PTR I assume)

The RFC I can't quote off the top of my head, but I thought 
that a receiving MTA (and therefore sending MTA) could get away 
with just an A record for the Domain (giving a weight of 0), if 
no MX was declared.

More importantly though are bounce messages from domains 
without any SPF, since it may be an outbound only MTA, ie A 
record matching HELO, but no matching MX or SPF. 

IMHO for the moment, all A and MX records need to have a SPF 
TXT record to declare the owner's policy for the IP to which 
they refer.

Regards
Karl.P


______________________________________________________________
Email via Mailtraq4Free from Enstar (www.mailtraqdirect.co.uk)