On Wed, 2004-06-23 at 20:50, Meng Weng Wong wrote:
On Thu, Jun 24, 2004 at 12:58:41AM +0100, Roy Badami wrote:
|
| CSV/CSA takes a very different approach, and is also of benefit.
| Whilst it would be possible to validate the HELO identity using an SPF
| or XML syntax, the requirements of CSV's problem space make that
| overkill.
"Overkill" is relative --- if the evalute_spf function is
already available, might as well apply it to the HELO name
and get back something useful.
I have been calling this approach "Unified SPF" --- it
embraces the CSV and the MTAMark/SS semantics using the SPF
syntax and lookup, just as SPF has embraced the CallerID
semantics with SenderID.
People have been mentioning Unified SPF on-list a little bit
lately but I thought I should probably put it forward
officially and see what people think.
| The two approaches seem complementary to me; is there any reason why
| this WG can't advance both to PS?
I explain in more detail at
http://spf.pobox.com/slides/unified%20spf/
Comments are welcome.
Complexities of the SPF/CID records cause potential exposures needing to
be mitigated. If the address is immediately expressed to match against
the EHLO domain, this risk can be circumvented if mandated as an
absolute requirement. Alternatively, adding an SRV record provides this
function without a need to parse textual information and correlates with
SMTP host names rather than mail domains. If only employing the EHLO
check, the SRV record would be simpler to implement and requires fewer
changes to the SMTP server.
-Doug