On Fri, Jun 25, 2004 at 03:28:18PM +0800, Dave Crocker wrote:
| MWW> In CSV,
| MWW> http://www.jlc.net/MARID/CSV/draft-ietf-marid-csv-intro-00.html#anchor11
| MWW> suggests that you do authentication by doing a A lookup of
| MWW> the HELO name;
|
| It's not a "suggestion". It is a "specification". The differences is
| important. CSV is very simple and constrained. It is entirely based on
| the SMTP HELO.
|
The text I was referring to said:
There is no universal method to authenticate that a host is
correctly identifying itself. For most email purposes, it
will be sufficient to show that the EHLO domain name
forward-resolves to the IP address.
"For most email purposes" looks like a loophole to me, which
is why I was requesting clarification.
If it said "do an A/AAAA lookup on the HELO domain name; the
client IP must appear on the list of returned addresses", I
would feel I had a better understanding.
As things stand now, one could read the draft as saying "for
most email purposes, a forward lookup is sufficient; for
other purposes, you may need to do an SPF evaluation against
the HELO domain name" in which case SPF would be compatible
with, and even a part of, the CSV concept.