Re: SPF PASS
2005-05-26 11:50:39
william(at)elan.net wrote:
On Thu, 26 May 2005, Terry Fielder wrote:
The domain names in my EHLOs is completely disjoint from the set in my
MAIL FROM and mail headers. How is SPF going to handle that?
I believe you will find that the EHLO/HELO is only checked if the MAIL
FROM fails.
Why? Doing EHLO check is useful no matter if MAILFROM fails or passes!
And it does not make any sense to delay it until MAILFROM when EHLO is
the first identity parameter email server receives and this identity
that has very few failure cases with SPF (unlike MAILFROM)
Right, I fell into the the JL trap of thinking that the two domains had
to be the same and yet represent something different. But if its a
relay server, the HELO *will* be different and consequently *will* use a
different SPF record (if one exists).
Also note that MAILFROM identity corresponds to original recipient
(unless every forwarder starts using SRS and you change its semantics,
but that is unlikely) where as EHLO name corresponds to the mail system.
As John proper said, they are disjoint and should not be mixed.
I think I have heard of other implementations where:
If the EHLO fails, you check the MAIL FROM, and if that passes then it
gets an SPF pass.
Unless I'm mistaken SPF pass is specific per scope/identity checked and
there is no overall SPF pass.
That was not my understanding, but I accept being corrected if that's
the case.
Either way, it doesn't matter if your EHLO fails (it does on many,
maybe even MOST systems), because as long as your MAIL FROM is SPF
PASS, then your mails SPF response on the whole is a PASS, and is not
negatively affected.
PS This is from memory, one of the developers are better qualified to
answer this question, if you don't trust my answer, but the
generalization is at least correct, AFAICT.
When it comes time to using the authorization to compare to domain
black/white listing, then the MAIL FROM domain and the EHLO/HELO
domain could be used as a query to the lists.
You should not query different identities on the same reputation service,
I believe that is a possibility for unpredictable and incorrect results
and reputation systems must be setup for each specific identity in
question.
I disagree, a domain may authorize RELAY.com to relay his email. But if
RELAY.com is notoroious for sending spam (from his other customers he
relays for), then when I check the HELO name I may want to reject the
mail from RELAY.com because of his bad spamming reputation even if the
"MAIL FROM" domain is SPF PASS for said relay.
Consider the case when RELAY.com is actually SPAMMER.com, and once
SPAMMER.com is black listed you want to keep blocking mail from him even
if he registers other throwaway domains to pretend his server
SPAMMER.com is relaying for. A thumbs up on the reputation of
THROWAWAY.com may want to be ignored if a thumbs down occurs for the MTA
SPAMMER.com
----
BTW, for those who do not participate at spf-discuss and don't know -
I'm writing paper on email identities and how they are used in path and
cryptographic authentication methods (i.e LMAP and MASS) for anti-spoofing
protection. This is very much on the topic of what has been discussed
here and on ietf-smtp about good and bad points of each proposal.
You can find the latest public draft at:
http://www.elan.net/~william/emailsecurity/path_and_cryptographic_authentication-draft-limited-07.htm
Comments on the content, especially if I got anything wrong are
appreciated.
--
Terry Fielder
terry(_at_)greatgulfhomes(_dot_)com
Associate Director Software Development and Deployment
Great Gulf Homes / Ashton Woods Homes
Fax: (416) 441-9085
<Prev in Thread] |
Current Thread |
[Next in Thread>
|
- Re: SPF and HELO, was Re: SPF PASS, (continued)
- Re: SPF and HELO, Julian Mehnle
- Re: SPF and HELO, was Re: SPF PASS (was: "If you believe that the SPF concept is fundamentally flawed, please subscribe at http://www.imc.org/ietf-mxcomp/"), Julian Mehnle
- Re: SPF PASS (was: "If you believe that the SPF concept is fundam entally flawed, please subscribe at http://www.imc.org/ietf-mxcomp/"), william(at)elan.net
- Re: SPF PASS (was: "If you believe that the SPF concept is fundam entally flawed, please subscribe at http://www.imc.org/ietf-mxcomp/"), John Levine
- Re: SPF PASS, Terry Fielder
- Re: SPF PASS, william(at)elan.net
- Re: SPF PASS,
Terry Fielder <=
- HELO and MAIL FROM are separate identities; reputation on a per-domain basis instead of per-IP (was: SPF PASS), Julian Mehnle
- Re: SPF PASS, Frank Ellermann
- Re: SPF PASS, wayne
- overall HELO FAIL (was: SPF PASS), Frank Ellermann
- Re: SPF PASS (was: "If you believe that the SPF concept is fundam entally flawed, please subscribe at http://www.imc.org/ietf-mxcomp/"), wayne
- Re: SPF PASS (was: "If you believe that the SPF concept is fundam entally flawed, please subscribe at http://www.imc.org/ietf-mxcomp/"), Julian Mehnle
- Re: SPF PASS, Frank Ellermann
- RE: SPF PASS (was: "If you believe that the SPF concept is fundam entally flawed, please subscribe at http://www.imc.org/ietf-mxcomp/"), Mark
- Addressing Backward Compatibility [was Re: SPF PASS], Hector Santos
- Re: Addressing Backward Compatibility [was Re: SPF PASS], Carl Hutzler
|
|
|