spf-discuss
[Top] [All Lists]

Re: [spf-discuss] Softfail when spf-checking mails from this list, max_dns_mx=5

2007-03-14 07:37:22
On Wed, 14 Mar 2007 15:16:31 +0100 Thomas Jacob 
<jacob(_at_)internet24(_dot_)de> wrote:
In the RFC 4408 processing limits, up to 10 MX records should be checked.

The RFC 4408 limits are based on the libspf2 limits, but in some cases 
lipspf2 
has lower limits.  This appears to be one of them.  IIRC libspf2 can be 
configured to use different values than the defaults for the limits.  I 
would 
recommend changing that limit to 10.

I would appreciate it if you would let us know how/if you are able to 
change 
it.

Indeed that's the problem, libspf2 (1.2.5) has a builtin
fixed limit of 5 for MX lookups and PTR lookups, RFC 4408 specifies
a hard limit of 10. 

This limit can only be increased by patching the code. There seems
to have been a plan to allow this value to be changed at run time
(via a macro-generated function SPF_server_set_max_dns_mx) but
the current code doesn't announce that function in the
library headers anymore. Hmm. Anyway this value would be used
only if it would be smaller than the builtin max so this would
not help here.

See spf_server.h, spf_interpret.c from line 790 onwards
and the RFC section 5.4

Fixing this locally out requires an update of libspf2 installations
on several machines... that's not something I will get around to
quickly, but I will certainly do it over the next weeks.

But it really there is no need to try this out, it's really obvious
from the code and the very helpful debugging output of spfquery/libspf2
(so there didn't have to be all that much effort from my side, cf. your
other mail ;-)

So the question is, shouldn't the libspf fixed limits be extended to at
least allow people to use the maximum number of MX records stipulated in
the RFC?

Afterall there is a good chance that a large number of mail servers will
be using
this lib directly..

Agreed.

I have managed to end up being the defacto lipspf2 maintainer for Ubuntu.  
If I can get a patch this week I can probably get it into the next release. 
 I'm neither a C programmer nor a lipspf2 user, so I need a patch I can 
test/package.

Later I will work on pushing it upstream to Debian.

Scott K

-------
Sender Policy Framework: http://www.openspf.org/
Archives at http://archives.listbox.com/spf-discuss/current/
To unsubscribe, change your address, or temporarily deactivate your 
subscription, 
please go to http://v2.listbox.com/member/?list_id=735

<Prev in Thread] Current Thread [Next in Thread>