spf-discuss
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

[spf-discuss] Re: RFC 4409

2006-09-25 03:34:25
from [Frank Ellermann] [Permanent Link] 
Scott Kitterman wrote:
 

2821.Mail-From: Bogus
2822.From: Bogus
2822.Sender: Good



What does the user see?  In most cases is the bogus
addresses.


Yes, if the MSA implements only 8.1 (MAY add Sender) but does
not enforce submission rights (maybe in an attempt to support
"bounces-to") that's what you might get.


If the mail doesn't from from an authorized address, it
should go back to the sender to fix it


The "bounces-to" concept isn't strictly illegal at the moment,
it's not the job of RFC 4409 to fix 1123 5.3.6(a), that's the
job of SPF, including stuff like op=auth and op=pra.

"MAY add sender" isn't good enough for op=auth, but it might
help with op=pra, or with "bounces-to" fans using Sender-ID,
if such users exist.  

The protection of the bogus Return-Path (or in other words the
"bounces-to") is something for RFC 4408, not RFC 4409 8.1.  It
is covered by 6.1 enforced submission rights.

What you want, reject a bogus PRA instead of "MAY add sender",
is  possible based on section 6.3

| The MSA MAY issue an error response to the DATA command or
| send a failure result after end-of-data if the submitted
| message is syntactically invalid, or seems inconsistent with
| permissions given to the user (if known), or violates site
| policy in some way.

I'm not sure how the MSA can reach 6.3 if the user is unknown,
at that point (DATA) the "session" MUST be authenticated.  It
is probably a RADIUS or SMTP-after-POP scenario, where the MSA
only knows "one of our users", but not which user.

In that scenario it can't check permissions, unless there's a
non-empty MAIL FROM, that could be the reason for "seems".  And
this MAIL FROM might be a cross-user forgery, we arrive again
at "enforce permission rights" or "die, spammer, die".

The bug or rather omission in 8.1, the missing Resent-* case,
is one thing.  The optional action in 8.1, add Sender, is a
different topic:  Rejecting the mail for this or other reasons
is covered by 6.3 (I think).  For the proposed update we could
add a pointer to 6.3:

[...old text as posted adding: ...]
: Please note that the MSA can also reject mails instead of
: adding or replacing a Sender or Resent-Sender address as
: oulined in section 6.3.

Frank


-------
Sender Policy Framework: http://www.openspf.org/
Archives at http://archives.listbox.com/spf-discuss/current/
To unsubscribe, change your address, or temporarily deactivate your 
subscription, 
please go to 
http://v2.listbox.com/member/?listname=spf-discuss(_at_)v2(_dot_)listbox(_dot_)com
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  [spf-discuss] Re: "authorized" == "not forged"?, Frank Ellermann
Next by Date:  [spf-discuss] Re: "authorized" == "not forged"?, Julian Mehnle
Previous by Thread:  Re: [spf-discuss] Re: RFC 4409, Scott Kitterman
Next by Thread:  [spf-discuss] I wonder if someone could get Sender ID added to this list..., Scott Kitterman
Indexes:  [Date] [Thread] [Top] [All Lists]