Login | Register For Free | Help
Search for: (Advanced)

Mailing List Archive: SPF: Devel

New SPF implementation - how to test?

  

 
SPF devel RSS feed   Index | Next | Previous | View Threaded


mazieres at gmail

Aug 19, 2004, 8:13 AM

Post #1 of 2 (1162 views)
Permalink
New SPF implementation - how to test?
Hi. Mail Avenger (www.mailavenger.org) is an MTA-independent SMTP
server that supports SPF.
It also allows the dynamic construction of SPF records in policy
scripts--essentially exposing SPF
to users as a query language.

I'd like to validate the SPF implementation. I've been looking at the
tests on http://www.midwestcs.com/spf/tests/, but I'm not exactly sure
how to understand the
format of those test files. For example, the same test sometimes
seems to have multiple
results:

spfquery -ip=192.0.2.33 -sender=20.spf1-test.mailzone.com
-helo=20.spf1-test.mailzone.com -rcpt-to="foo [at] spf1-test"
result /.*/ pass,pass

spfquery -ip=192.0.2.33 -sender=20.spf1-test.mailzone.com
-helo=20.spf1-test.mailzone.com -rcpt-to="foo [at] bar"
result /.*/ fail,fail

My implementation returns fail, for reasons detailed below. The
difference between the
two tests seems to be the rcpt-to recipient. Why should that even
matter? Searching the
madrid draft, the words "recipient" and "rcpt" never even appear, so I
don't see why that
should affect the results. Obviously there's something I don't
understand about the test
data format.

Anyway, I'm wondering what the best approach is to testing data.
Also, there are a few
examples where my implementation differs from the test suite. I'll
include some examples
below. I'd appreciate any advice on how to test this stuff.

Thanks,
David


FAIL: 127.0.0.1 localhost.localdomain localhost.localdomain
expected pass
got >>>none: 127.0.0.1 localhost.localdomain localhost.localdomain
FAIL: 127.1.2.3 my.domain my.domain
expected pass
got >>>none: 127.1.2.3 my.domain my.domain

Should arguably be "fail" with reason of "Domain Does Not Exist" (not
sure from madrid draft if this is right--what do people think?), but
how would you get pass?

FAIL: 192.0.2.1 05.spf1-test.mailzone.com 05.spf1-test.mailzone.com
expected fail
got >>>neutral: 192.0.2.1 05.spf1-test.mailzone.com
05.spf1-test.mailzone.com

The TXT record here is: "v=spf1 default=deny". The madrid draft says
"There is also one deprecated modifier: "default". Implementations
MUST ignore it." Therefore, I conclude this should fall off the end
and be neutral.

FAIL: 192.0.2.33 20.spf1-test.mailzone.com 20.spf1-test.mailzone.com
expected pass
got >>>fail: 192.0.2.33 20.spf1-test.mailzone.com
20.spf1-test.mailzone.com

The SPF record is "v=spf1 a -all". The domain is
20.spf1-test.mailzone.com, which has A record:

20.spf1-test.mailzone.com. 60 IN A 192.0.2.120

This doesn't match the test IP address. Therefore, I conclude the
result should be fail.

-------
To unsubscribe, change your address, or temporarily deactivate your subscription,
please go to http://v2.listbox.com/member/?listname=spf-devel [at] v2


spf at anarres

Aug 22, 2004, 5:30 AM

Post #2 of 2 (1122 views)
Permalink
Re: New SPF implementation - how to test? [In reply to]
On Thu, 19 Aug 2004, David Mazieres wrote:

> Hi. Mail Avenger (www.mailavenger.org) is an MTA-independent SMTP
> server that supports SPF.
> It also allows the dynamic construction of SPF records in policy
> scripts--essentially exposing SPF
> to users as a query language.
>
> I'd like to validate the SPF implementation. I've been looking at the
> tests on http://www.midwestcs.com/spf/tests/, but I'm not exactly sure
> how to understand the
> format of those test files. For example, the same test sometimes
> seems to have multiple
> results:
>
> spfquery -ip=192.0.2.33 -sender=20.spf1-test.mailzone.com
> -helo=20.spf1-test.mailzone.com -rcpt-to="foo [at] spf1-test"
> result /.*/ pass,pass
>
> spfquery -ip=192.0.2.33 -sender=20.spf1-test.mailzone.com
> -helo=20.spf1-test.mailzone.com -rcpt-to="foo [at] bar"
> result /.*/ fail,fail
>
> My implementation returns fail, for reasons detailed below. The
> difference between the two tests seems to be the rcpt-to recipient.
> Why should that even matter? Searching the madrid draft, the words
> "recipient" and "rcpt" never even appear, so I don't see why that should
> affect the results. Obviously there's something I don't understand
> about the test data format.

I'm currently attacking the test suite, since there were several errors in
it, and there are some weaknesses in the structure. A more up-to-date copy
is included with libspf2 on www.libspf2.org. Last week I discovered
several more errors, but I have been away for a week and will continue
work on Monday.

Issues remaining include: Incorrect test results, clarifying the
multiple-result issue you raise, checking for multiple parse errors, and
checking for parse errors in a more implementation-independent way.

S.

--
Shevek http://www.anarres.org/
Robust Sender Policy Framework (SPF) http://www.libspf2.org/
SRS for the next generation http://www.libsrs2.org/

-------
To unsubscribe, change your address, or temporarily deactivate your subscription,
please go to http://v2.listbox.com/member/?listname=spf-devel [at] v2

SPF devel RSS feed   Index | Next | Previous | View Threaded
 
 


Interested in having your list archived? Contact Gossamer Threads
 
  Web Applications & Managed Hosting Powered by Gossamer Threads Inc.