spf-discuss
[Top] [All Lists]

Re: [spf-discuss] Using CBV

2006-02-17 20:20:20
"Hector Santos" <spf-discuss(_at_)winserver(_dot_)com> writes:

"David Mazieres (no direct replies)" 
<dm-list-spf(_at_)scs(_dot_)stanford(_dot_)edu> wrote in

Okay, maybe this is the confusion...  Does this describe what's
happening?

  - Machine A is sending mail "from" address user(_at_)example(_dot_)com to
    machine B.

  - You check whether example.com is running an open relay.

  - You *don't* explicitly check whether machine A is an open relay.


No. Hmmmm, I am failing to understand why this is difficult to grasp.

If that's the case, the check would seem to be of limited utility
unless A also happens also to be the mail exchanger for example.com.

I just showed you a LOG showing where it does work and that was an old log
that first cropped up from a simple grep.  And you still say it is limited
utility?  :-)

Maybe I don't understand your log format.  There are three possible
machines at play:

   A) The sending client

   B) The recipient SMTP server

   C) The mail exchanger for the Mail-From address, if not <>

You run machine B.  The question is what callbacks you make to
machines A and C.  The way I interpret your logs, what you call C is
my B, and what you call S is what I call C.  Whatever you're doing,
however, it seems that:

   1) It doesn't really matter whether machine C is an open relay or
      not, since it's not sending you mail.

   2) If you do a CBV to machine A to test whether it is an open
      relay, you risk causing loops.

So while I like the idea of automatically detecting open relays, and
would consider adding it to my mail server, I don't understand how you
do it both safely and usefully.

Aain, this is a fundamental principle in SMTP, it is worth repeating:

The standard "Rule of Thumb" in SMTP is:

    - Local Domain recipients do not need authentication to relay
    - Remote domain recipients need authentication to relay.

This shouldn't be relevant, because presumably you aren't using any
kind of authentication in your callbacks, right?  We should only be
talking about unauthenticated SMTP here.

Just consider. a CBV is just another SMTP session. Just like if you replied.
There is nothing special about  it because it works with 100% backward
compatibility functionality.

I'm not worried about deviating from SMTP.  I'm worried about one SMTP
session triggering another.  If A's connection causes B to connect
back to A, and that connection causes A to connect back to B, and so
on, no one is violating 2821, but you still have a bad situation!

Its widely deploy among thousands of our customer base and its network of
users.  If they haven't experience a problem by now, I doubt it will
tomorrow.

There are many vendors using CBV, atleast 5-6 vendors and software products.
It is more widely deployed then one wishes to acknowledge.

Look, I'm one of those "vendors" if you count open source software.
My mail server performs SMTP callbacks.  But it does so to machine C,
to check the envelope-sender address.  This is also what Verizon seems
to do.  I definitely understand CBV as applied to the mail-from
address, because I've built three different implementations of it in
Perl, C, and C++.  My latest implementation is deployed on probably
100 servers, including some pretty high-traffic sites and at least one
large company.  So I'm a *BIG* believer in SMTP callbacks.

What I haven't heard of is automatic checking for open relays during
mail deliver.  Thus, I'm curious which vendors do this (not all do),
and how it works.  You could start by telling me which machine is
involved--is it A or C.

If my reading of your log is correct and you are checking whether C is
an open relay, then why does this help since A is actually the machine
sending you mail?

David

-- 
This message was sent from a non-repliable address for a closed mailing list.
If you wish to reply directly to me, you can use the following address, which
expires on 03 Mar 2006:
    
<mazieres-rmddpxj73nd95g5swe5zavmnva(_at_)temporary-address(_dot_)scs(_dot_)stanford(_dot_)edu>

-------
Sender Policy Framework: http://www.openspf.org/
Archives at http://archives.listbox.com/spf-discuss/current/
To unsubscribe, change your address, or temporarily deactivate your 
subscription, 
please go to 
http://v2.listbox.com/member/?listname=spf-discuss(_at_)v2(_dot_)listbox(_dot_)com

<Prev in Thread] Current Thread [Next in Thread>