Le mardi 3 Août 2004 12:38, Daniel Gueniche a écrit :
Our domain is grenoble.cnrs.fr (147.173.x.x) and we wish to secure our
mails exchanges.
So for testing purpose, the following TXT record was added on our DNS:
grenoble.cnrs.fr IN TXT "v=spf1 a -all"
This currently doesn't show outside...
[michel(_at_)totor michel]$ host -t txt cnrs.fr
[michel(_at_)totor michel]$ host -t txt grenoble.cnrs.fr
[michel(_at_)totor michel]$ host -t txt labs.grenoble.cnrs.fr
[michel(_at_)totor michel]$ host -t txt vigie.grenoble.cnrs.fr
(no txt record was found for any of these)
Here are 2 logs we have when making tests :
--- start 1st log ---
[...]
Received: from labs.grenoble.cnrs.fr (labs.grenoble.cnrs.fr [147.173.1.26])
by vigie.grenoble.cnrs.fr (8.12.11/jtpda-5.4) with ESMTP id
[...]
Received-SPF: pass (vigie.grenoble.cnrs.fr: domain of
root(_at_)grenoble(_dot_)cnrs(_dot_)fr
designates 147.173.1.26 as permitted sender)
Note that this worked only because "grenoble.cnrs.fr" and
"labs.grenoble.cnrs.fr" both have an A record pointing the same IP address:
[michel(_at_)totor michel]$ host grenoble.cnrs.fr
grenoble.cnrs.fr has address 147.173.1.26
[michel(_at_)totor michel]$ host labs.grenoble.cnrs.fr
labs.grenoble.cnrs.fr has address 147.173.1.26
Here is the log of an e-mail (SPAM) we've made (forged) from a linux
box, named reflector.grenoble.cnrs.fr (147.173.3.39). This mail pretends to
come from john(_dot_)smith(_at_)some(_dot_)domain(_dot_)org(_dot_)
[...]
For me this seems to be bad because a mail from a non-existing domain is
alway accepted (because no TXT record). So, real
"john(_dot_)smith(_at_)some(_dot_)domain(_dot_)org" will be insulted by
automatic anti-spams
softwares.
First, your MTA should be configured not to accept MAIL FROM
non-existing-domain. This is not SPF related.
Second, if an existing domain has no SPF record, SPF has no way to determine
whether your reflector.grenoble.cnrs.f is or is not authorized to send mail
from the domain in question.
Since SPF have seen e-mail was send from 147.173.3.39, it can deduce
from reverse DNS request that this address belong to grenoble.cnrs.fr and
thus if it's one of the authorizedsenders for this domain.
Knowing that your machine is an authorized sender for your domain doesn't mean
that it isn't as well authorized for other domains...
By asking the spoofed domain of the fake e-mail address we pretend
coming from, SPF realizes a good domain anti-spoofing, but I think that SPF
do more by ALSO relying on SMTP sender IP address. Then :
.mail forged will be rejected -> less spams received
.john.smith will not be insulted -> we don't participate to effects of
forged mails
Could SPF propose this option ?
What do you think of that idea ?
I don't really understand the logic behind your reasoning, but this is not the
way SPF works.
SPF checks if the sending MTA is authorized for the domain figuring in the
MAIL FROM.
If the domain in the MAIL FROM doesn't have any SPF record stating which are
its outgoing mailservers, SPF has no way to know if a given server is
authorized or not for the concerned domain. The fact that the server is
another domain's, and is SPF-authorized for another domain, is irrelevant.
Regards.
--
Michel Bouissou <michel(_at_)bouissou(_dot_)net> OpenPGP ID 0xDDE8AC6E
L'évolution de la pensée pré-situationniste entre l'école hégélienne
et le négativisme de l'infrastructure néo-nietzschéenne a-t-elle,
inconsciemment ou non, influencé la carrière de Raymond Poulidor ?
-- Pierre Desproges.