headers
James Couzens | 1 Aug 2004 04:41
Picon

Re: Case Sensitivity

Marc,

On Sat, 2004-07-31 at 09:06, marc <at> alaia.net wrote:

> Hey, everyone.  A situation has come up on the SPF-Help list where a
> receiver is rejecting inbound mail from a domain and it turns out that
> the problem is case sensitivity.  A test using libspf2 verified that
> libspf2, at least, is case sensitive.

It is not in the spec, and it is wrong.

> Is this an implementation issue or a spec issue, or not an issue at
> all?  What I mean is:
> - Are all DNS-related issues supposed to be case-insensitive, so this
> does not need to be in the spec, but certain implementations have
> implemented it wrong?

This is a bug in "libspf-alt" AKA "libspf2".  This sort of behaviour is
common with immature and developing libraries.  Feel free to inform this
individual that they might wish to give one of the other implementations
a try.  

Since I am clearly biased as the author of libSPF, (although I would
recommend using it), I am left to advise that the individual in question
consult the spf.pobox.com website and select an alternative library
immediately to avoid further problems.  Given that age is often a good
gauge as to maturity one might look at the Mail::SPF:Query
implementation which has spent the longest time in the wild.

> - Are all DNS-related issues not specified, so the SPF spec needs to
(Continue reading)

Permalink | Reply | 5 comments |
headers
James Couzens | 1 Aug 2004 04:58
Picon

RE: Case Sensitivity

On Sat, 2004-07-31 at 10:16, Scott Kitterman wrote:

> "By convention, domain names can be stored with arbitrary case, but
> domain name comparisons for all present domain functions are done in a
> case-insensitive manner, assuming an ASCII character set, and a high
> order zero bit.  This means that you are free to create a node with
> label "A" or a node with label "a", but not both as brothers; you could
> refer to either using "a" or "A".  When you receive a domain name or
> label, you should preserve its case.  The rationale for this choice is
> that we may someday need to add full binary domain names for new
> services; existing services would not be changed."

As Roger Moser kindly pointed out, this is how both his Windows library,
and and libSPF handle domain names.  As previously mentioned
"libspf-alt" aka "libspf2"* is simply a young library, and is usually
the case its suffering from growing pains such as mistakes like this.

> I checked the later RFCs that modify these and they do not change this
> guidance.  Where character case is mentioned at all, it is assumed that
> processing is case insensitive.

And you would be correct.

> Bottom line is that I think the SPF (and I would imagine MARID) specs look
> to be ok.  It appears to me that (assuming the analysis that this is a case
> sensitivity issue is correct) this is best described as an implementation
> defect wrt support of RFC 1034 and 1035.  Given that many of the SPF
> libraries share a common heritage to some degree, they probably all ought to
> be checked for this.
(Continue reading)

Permalink | Reply | 34 comments |
headers
James Couzens | 1 Aug 2004 05:01
Picon

RE: Case Sensitivity

On Sat, 2004-07-31 at 19:58, James Couzens wrote:

> that you would look only at my library when attempting to implement, not
> with a copy of the RFC in "your other hand" so to speak.

*sheepish grin* That should read "not without" ;-)

Cheers,

James

--

-- 
James Couzens,
Programmer
                                                     ( ( (      
      ((__))         __lib__        __SPF__        '. ___ .'    
       (00)           (o o)          (0~0)        '  (> <) '    
---nn-(o__o)-nn---ooO--(_)--Ooo--ooO--(_)--Ooo---ooO--(_)--Ooo---

http://libspf.org -- ANSI C Sender Policy Framework library
http://libsrs.org -- ANSI C Sender Rewriting Scheme library
-----------------------------------------------------------------
PGP: http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x7A7C7DCF

-------
Sender Policy Framework: http://spf.pobox.com/
Archives at http://archives.listbox.com/spf-discuss/current/
Send us money!  http://spf.pobox.com/donations.html
To unsubscribe, change your address, or temporarily deactivate your subscription, 
please go to http://v2.listbox.com/member/?listname=spf-discuss <at> v2.listbox.com
(Continue reading)

Permalink | Reply | 0 comments |
headers
wayne | 1 Aug 2004 08:20

Re: Case Sensitivity

In <1091328100.16704.18.camel <at> code3> James Couzens <jcouzens <at> 6o4.ca> writes:

>> - Are all DNS-related issues supposed to be case-insensitive, so this
>> does not need to be in the spec, but certain implementations have
>> implemented it wrong?
>
> This is a bug in "libspf-alt" AKA "libspf2".  This sort of behaviour is
> common with immature and developing libraries.  Feel free to inform this
> individual that they might wish to give one of the other implementations
> a try.  
>
> Since I am clearly biased as the author of libSPF, (although I would
> recommend using it), I am left to advise that the individual in question
> consult the spf.pobox.com website and select an alternative library
> immediately to avoid further problems.  Given that age is often a good
> gauge as to maturity one might look at the Mail::SPF:Query
> implementation which has spent the longest time in the wild.

Calm down James.

Yes, I left out two tolower()'s in SPF_eval_id.c in libspf2. It is a
bug.  It can be fixed with the following patch:

601c603
< 				    && *pc-- == *ps-- )
---
> 				    && tolower( *pc-- ) == tolower( *ps-- ) )

However, I'm not sure how the heck libspf even comes close to
implementing the algorithm specified by the SPF spec.  Libspf seems to
(Continue reading)

Permalink | Reply | 3 comments |
headers
Michel Bouissou | 1 Aug 2004 09:01

Re: Case Sensitivity

Le dimanche 1 Août 2004 08:20, wayne a écrit :
>
> Yes, I left out two tolower()'s in SPF_eval_id.c in libspf2. It is a
> bug.  It can be fixed with the following patch:
>
> 601c603
> <                                   && *pc-- == *ps-- )
> ---
>
> >                                   && tolower( *pc-- ) ==
tolower( *ps-- )
> > )

RPMs for Mandrake 10.0 of libspf2 including this patch are available from:
http://www.bouissou.net/spftools/

(libspf2*-1.0.4-2.100mdk.*.rpm)

Please feel free to put them in the download section of the libspf2.org site.

Cheers.

--

-- 
Michel Bouissou <michel <at> bouissou.net> OpenPGP ID 0xDDE8AC6E
Permalink | Reply | 1 comment |
headers
Michel Bouissou | 1 Aug 2004 09:11

Re: Case Sensitivity

Le dimanche 1 Août 2004 04:41, James Couzens a écrit :
>
> This is a bug in "libspf-alt" AKA "libspf2".  This sort of behaviour is
> common with immature and developing libraries.  Feel free to inform this
> individual that they might wish to give one of the other implementations
> a try.  
[...]
> People need to be made aware that they shouldn't be using this software
> on production servers when its so young!
[...]
> It is unfortunate that the library in question has attempted to purport
> themselves to the public as anything other than UNSTABLE. [...]

Bashing others' work this way is very nice indeed, as well as perfectly 
impartial. "This sort of behaviour is common with immature and developing" 
individuals.

</end personal flame>

--

-- 
Michel Bouissou <michel <at> bouissou.net> OpenPGP ID 0xDDE8AC6E
Permalink | Reply | 0 comments |
headers
Koen Martens | 1 Aug 2004 11:00

Re: Case Sensitivity

On Sat, Jul 31, 2004 at 07:58:49PM -0700, James Couzens wrote:
> As Roger Moser kindly pointed out, this is how both his Windows library,
> and and libSPF handle domain names.  As previously mentioned
> "libspf-alt" aka "libspf2"* is simply a young library, and is usually
> the case its suffering from growing pains such as mistakes like this.

Come on james, this has got to stop _now_. It's not that long ago that
your libsrs had the same flaw in handling it's SRS hashes: contrary to
what the RFC's said your library handled the SRS hash as if case was
always preserved, the RFC clearly stated you should never assume that
this is the case. Did we shout 'oh what an immature library, folks don't
use this crap'? No, we pointed out the flaw and it got fixed. Done.

Please stop this. You are losing credibility with this behaviour. 

Koen

--

-- 
K.F.J. Martens, Sonologic, http://www.sonologic.nl/
Networking, embedded systems, unix expertise, artificial intelligence.
Public PGP key: http://www.metro.cx/pubkey-gmc.asc
Wondering about the funny attachment your mail program
can't read? Visit http://www.openpgp.org/

-------
Sender Policy Framework: http://spf.pobox.com/
Archives at http://archives.listbox.com/spf-discuss/current/
Send us money!  http://spf.pobox.com/donations.html
To unsubscribe, change your address, or temporarily deactivate your subscription, 
please go to http://v2.listbox.com/member/?listname=spf-discuss <at> v2.listbox.com
(Continue reading)

Permalink | Reply | 32 comments |
headers
Roger Moser | 1 Aug 2004 11:19

Case Sensitivity

As I just found out, according to RFC 2234 the version string "v=spf1" is
case-insensitive.

To fix this in my RMSPF, in the function checkversion() replace memcmp()
with memicmp().

Roger
Permalink | Reply | 0 comments |
headers
Paul Howarth | 1 Aug 2004 12:46
Favicon

Re: Case Sensitivity

On Sun, 2004-08-01 at 08:01, Michel Bouissou wrote:
> Le dimanche 1 Août 2004 08:20, wayne a écrit :
> >
> > Yes, I left out two tolower()'s in SPF_eval_id.c in libspf2. It is a
> > bug.  It can be fixed with the following patch:
> >
> > 601c603
> > <                                   && *pc-- == *ps-- )
> > ---
> >
> > >                                   && tolower( *pc-- ) == tolower( *ps-- )
> > > )
> 
> RPMs for Mandrake 10.0 of libspf2 including this patch are available from:
> http://www.bouissou.net/spftools/
> 
> (libspf2*-1.0.4-2.100mdk.*.rpm)
> 
> Please feel free to put them in the download section of the libspf2.org site.

Similarly, RPMs for Red Hat/Fedora incorporating this patch can be found
at:

http://www.city-fan.org/ftp/contrib/libraries/
or by FTP at:
ftp://www.city-fan.org/pub/contrib/libraries/

libspf2-1.0.4-6.src.rpm
libspf2-1.0.4-6.i386.rpm
libspf2-devel-1.0.4-6.i386.rpm
(Continue reading)

Permalink | Reply | 0 comments |
headers
James Couzens | 1 Aug 2004 20:49
Picon

Re: Case Sensitivity

On Sat, 2004-07-31 at 23:20, wayne wrote:

> Calm down James.

I'm perfectly calm, I thought my last post was exceptionally amusing.

> (it should fail, but libspf passes it.)

Well look at the bright side Wayne, at least its saying "PASS". :-) 

> I have no idea how big the patch would need to be to fix libspf, but
> it appears to be close to a complete rewrite of the ptr: mechanism.

Thats ok Wayne, as you mature as a programmer you'll find it easier to
make estimates as to the time required to fix things. ;)

Cheers,

James

--

-- 
James Couzens,
Programmer
                                                     ( ( (      
      ((__))         __lib__        __SPF__        '. ___ .'    
       (00)           (o o)          (0~0)        '  (> <) '    
---nn-(o__o)-nn---ooO--(_)--Ooo--ooO--(_)--Ooo---ooO--(_)--Ooo---

http://libspf.org -- ANSI C Sender Policy Framework library
http://libsrs.org -- ANSI C Sender Rewriting Scheme library
(Continue reading)

Permalink | Reply | 0 comments |

Gmane