Meng Weng Wong <mengwong(_at_)dumbo(_dot_)pobox(_dot_)com> wrote:
The text I was referring to said:
There is no universal method to authenticate that a host is
correctly identifying itself. For most email purposes, it
will be sufficient to show that the EHLO domain name
forward-resolves to the IP address.
For context, let me quote the rest of section 5.2:
]
] CSV usually returns the list of IP addresses in the reply to the
] SRV query. The Host Name Authentication appendix gives advice on
] how to proceed if no list is returned.
]
] If the list is returned and the actual IP address is in it, the
] receiving SMTP server SHOULD consider the EHLO domain name to be
] authenticated. Conversely, if the list is returned and the
] actual IP address is not in it, the assertion of the EHLO domain
] name SHOULD be considered incorrect, and an error returned.
"For most email purposes" looks like a loophole to me, which
is why I was requesting clarification.
The point we intended was that this level of authentication
(finding a matching IP address in the response to a forward DNS
query) is not sufficiently strong for "all" purposes.
If you follow the text, it becomes clear (IMHO) that CSV
recommends, at the SHOULD level, accepting this as authentication.
If it said "do an A/AAAA lookup on the HELO domain name; the
client IP must appear on the list of returned addresses", I
would feel I had a better understanding.
But there's no reason to say that: it's implied in the SRV
query.
We could, of course, quibble about whether the SHOULDs should
be MUSTs: I'm sure we're open to discussion about that. We tend
to be rather conservative in using "MUST".
As things stand now, one could read the draft as saying "for
most email purposes, a forward lookup is sufficient; for
other purposes, you may need to do an SPF evaluation against
the HELO domain name" in which case SPF would be compatible
with, and even a part of, the CSV concept.
Try though I might, I cannot read it that way.
--
John Leslie <john(_at_)jlc(_dot_)net>