spf-discuss
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: [spf-discuss] Re: [OT]Calling Hector Santos

2005-08-26 14:07:25
from [Hector Santos] [Permanent Link] 

----- Original Message ----- 
From: "Frank Ellermann" <nobody(_at_)xyzzy(_dot_)claranet(_dot_)de>


Come on, that's obvious, "v=spf1 ?mx -all" cannot mean "if
I don't like NEUTRAL I just skip ?a and get -all FAIL", that
makes no sense.


I didn't say, nor imply, nor did I write anything to suggest that our 
implementation was attempting to breed its own SPF non-standard methodology.

What I said, there was bug in the short circuiting for a NEUTRAL.  The bug was 
fixed and was put into the gamma testing.  

The issue I was describing might be complex to understand if you are not a 
coder, but I want to show you what I mean:

Even though the SPECS has to be followed, there is a concern about how and 
"What Order" of POLICIES are being presented.

Example:

domain_a:  v=spf1 ?include:domain_b -all
domain_b:  v=spf1 -ip4:1.2.3.4 +all

Now suppose the SENDER IP is 1.2.3.4 so that there is a match in the policy.

Lets follow the PREFIX:

domain_a:  prefix=+  default
domain_a:  ?include:domain_b  prefix is now ?
    domain_b:  prefix=+  default
    domain_b:  -ip4 prefix is now -
        ip match -> return prefix=-

when the recursive call returns, what is the result?

    prefix=-  from hard ip4 match? or
    prefix=?  from hard ?include result?

Does the Outer Prefix override the Inner Prefix? What is correct? and why?

There is a MATCH in the recursive DOMAIN_B policy that had a specific "FAIL" 
prefix.   But the calling DOMAIN_A policy said it should be a "NEUTRAL."

What if the IP did not match? 


    prefix=+  from default pass in domain_b policy, or
    prefix=-  from default fail in domain a policy?

What is correct? and why?

See my point?   

The point is that a PUBLISHED POLICY also needs to make sense.

Our bug was related the mess above. I think it is correct that the answer to 
the above is FAIL, prefix=-, because of the hard match in the recursive IP4 
match.

But it raises the question about whether it make sense to have a NEUTRAL prefix 
for a INCLUDE directive.

-- 
Hector Santos, Santronics Software, Inc.
http://www.santronics.com





-------
Sender Policy Framework: http://spf.pobox.com/
Archives at http://archives.listbox.com/spf-discuss/current/
To unsubscribe, change your address, or temporarily deactivate your 
subscription, 
please go to 
http://v2.listbox.com/member/?listname=spf-discuss(_at_)v2(_dot_)listbox(_dot_)com
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Hector's test script - Minor error, Richard Bollinger
Next by Date:  RE: [spf-discuss] The problems with SPF, Herb Martin
Previous by Thread:  Re: [OT]Calling Hector Santos, Frank Ellermann
Next by Thread:  Re: [spf-discuss] Re: [OT]Calling Hector Santos, wayne
Indexes:  [Date] [Thread] [Top] [All Lists]