Re: [mailop] spf and mx: tokens

[Philip Paeps]

On 2018-04-12 05:41:46 (+0800), Carl Byington wrote:
While checking dmarc, we check for dkim signatures. If that fails, we 
look for spf records. A very small number of those contain mx: tokens. 
 While chasing a bug in my code, it became obvious that almost 
everyone misuses those, and they really meant to use a:some.name


Where you say "almost everyone", you presumably mean "almost everyone of 
the very small number of SPF users who specify mx: tokens".


So we could (do what they want) interpret mx:mail.example.com as if it 
were a:mail.example.com - we won't be rejecting mail that the sending 
domain intended for us to accept. But that just hides their error and 
possibly increases the chances of yet more folks making the same 
mistake.


As others have pointed out: that's a terrible idea.  Do what the RFC 
says.


If the number of sits misusing mx: is small enough, you could contact 
them to fix their problem.  With any luck, the bounces will get them to 
fix their problems by themselves.


Alternatively, you could whitelist those domains.

What does your code do when it sees mx:mail.example.com, where there 
is no mx record, but there is an a record?


I use libspf2.  It does what the RFC says.  That's what standards are 
for...


Philip

--
Philip Paeps
Senior Reality Engineer
Ministry of Information

___
mailop mailing list
mailop@mailop.org
https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop

Re: [mailop] spf and mx: tokens

[Paul Smith]

On 11/04/2018 22:41, Carl Byington wrote:

So we could (do what they want) interpret mx:mail.example.com as if it
were a:mail.example.com - we won't be rejecting mail that the sending
domain intended for us to accept. But that just hides their error and
possibly increases the chances of yet more folks making the same
mistake.

What does your code do when it sees mx:mail.example.com, where there is
no mx record, but there is an a record?

Do what the RFC says.

From RFC 7208

   "Note regarding implicit MXes: If the  has no MX record,
   check_host() MUST NOT apply the implicit MX rules of [RFC5321 
] by
   querying for an A or  record for the same name."

That's not ambiguous ;-)



___
mailop mailing list
mailop@mailop.org
https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop

Re: [mailop] spf and mx: tokens

[Phil Pennock]

On 2018-04-11 at 14:41 -0700, Carl Byington wrote:
> So we could (do what they want) interpret mx:mail.example.com as if it
> were a:mail.example.com

FWIW, both RFC 4408 from 2006 and RFC 7208 from 2014 explicitly
"MUST NOT" this behavior.

Section 5.4 in each.

> What does your code do when it sees mx:mail.example.com, where there is
> no mx record, but there is an a record?

Exim uses libspf2 and does whatever libspf2 does.  Actually looking in
libspf2's codebase, it looks like it complies with the RFCs here.

-Phil, Exim hat probably on

___
mailop mailing list
mailop@mailop.org
https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop

[mailop] spf and mx: tokens

[Carl Byington]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

While checking dmarc, we check for dkim signatures. If that fails, we
look for spf records. A very small number of those contain mx: tokens.
While chasing a bug in my code, it became obvious that almost everyone
misuses those, and they really meant to use a:some.name

So we could (do what they want) interpret mx:mail.example.com as if it
were a:mail.example.com - we won't be rejecting mail that the sending
domain intended for us to accept. But that just hides their error and
possibly increases the chances of yet more folks making the same
mistake.

What does your code do when it sees mx:mail.example.com, where there is
no mx record, but there is an a record?


-BEGIN PGP SIGNATURE-
Version: GnuPG v2.0.14 (GNU/Linux)

iEYEAREKAAYFAlrOgRIACgkQL6j7milTFsHgpQCeMBsUmcz/5adrHRFZ3X5vrfL8
2QkAoIRxFWUB1Ln5DTQbsnOAsDWz39Cu
=6wlm
-END PGP SIGNATURE-



___
mailop mailing list
mailop@mailop.org
https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop