On Mon, Mar 19, 2007 at 10:37:27PM +0100, Frank Ellermann wrote:
Should we better propose "v=spf1 ptr -all" as typical HELO policy ?
This would match any subdomain of "museum.", including domains in
a different zone. Perhaps this example is not suited well, but
imagine a similar hostname "de." with such a policy ... Your
suggestion would allow your host to say "HELO de".
At the moment my host is xyzzy.dnsalias.org = 220.127.116.11
When I try nslookup -q=ptr 18.104.22.168 I get
22.214.171.124.in-addr.arpa name = d252210.dialin.hansenet.de
So, the official name of 126.96.36.199 is d252210.dialin.hansenet.de.
but only if there is also a `forward' lookup possible. There is.
But "host" de doesn't have IP 188.8.131.52, it shouldn't match.
Besides TLD de also has no SPF policy using "v=spf1 ptr -all".
Something with your counterexample is wrong or I miss a clue.
As you can see in my counter example, I suggested that __if__ "de."
had such a policy, __then__ the following would happen:
As per RFC4408 section 5.5, the official name is looked up for "ptr"
mechanisms. Start with the connecting IP address 184.108.40.206, lookup
the corresponding name "d252210.dialin.hansenet.de." and verify it using
an A(d252210.dialin.hansenet.de.) lookup which should return an address
of 220.127.116.11 (maybe more).
Domain "de." SPF policy (in either a TXT record, an SPF record, or both)
"v=spf1 ptr -all", would mean: any host with a name ending in "de."
would match on "ptr", the rest would match on "all".
In your hostname's case: All validated names (d252210.dialin.hansenet.de.)
are then compared against the target name "de." and a match does occur on
the "ptr" mechanism! This means your host would be allowed to "HELO de"
Strict 2821 implementations could reject "HELO ws" and "HELO ws."
as SMTP syntax errors.
Ah, yes, yet another RFC2821 bug. But we can't rely on bugs in other
protocols to help RFC4408. As soon as 2821 is fixed, my example would
Besides, when has 2821 become a standard? 821 has this to say:
<domain> ::= <element> | <element> "." <domain>
<element> ::= <name> | "#" <number> | "[" <dotnum> "]"
<name> ::= <a> <ldh-str> <let-dig>
and thus "museum" is a valid domain. "de" is not, but I think there's
an update somewhere (or I found a bug in 821?)
Sender Policy Framework: http://www.openspf.org/
Archives at http://archives.listbox.com/spf-discuss/current/
To unsubscribe, change your address, or temporarily deactivate your
please go to http://v2.listbox.com/member/?list_id=735