On Fri, Oct 10, 2003 at 08:51:34PM +0200, Loic Prylli wrote:
| Meng Weng Wong wrote:
|
| >3) Each configuration directive represents a different approach to
| > answering the "is this client for real" question.
| >
| > "permit:mx; permit:a=designated-mailers.DOMAIN; permit:spf;
| >include:OTHERDOMAIN; deny:default"
| >
|
| Would it be feasible to also include a way to reference authorized
| mailers by a name pattern:
| like: *.mx.lao.com (either through something like
| "permit:pat=*.mx.lao.com" in the spf config._smtp_client.... record, or
| something lie
| "permit:ptr=some.domain", and the list of patterns would in PTR record
| at some.domain).
|
Well, that was a productive flight. I have added a PTR mechanism:
2.4.3 PTR
First, perform a PTR lookup on the connecting client IP; then
perform an A lookup back to an IP address. If one of the PTR names
resolves back to the original IP address, the PTR response is
considered valid. Then, if that resolving PTR entry ends in the
specified domain-name, this mechanism returns "allow".
2.4.3.1 Example
spf-1._smtp_policy.example.com IN TXT
"ptr default=deny exp=This is a test of SPF"
SMTP client comes from the IP address 1.2.3.4.
PTR(1.2.3.4) returns two results: "foo.example.net" and "bar.example.com"
A(foo.example.net) returns two results: 2.3.4.5 and 3.4.5.6.
This is an invalid result because the A record does not point back
to the original IP.
A(bar.example.com) returns two results: 1.2.3.4 and 2.3.4.5.
This is a valid result because the A record does point back to the
original IP.
bar.example.com does end in example.com; therefore this mechanism
returns "allow".
-------
Sender Permitted From: http://spf.pobox.com/
Archives at http://archives.listbox.com/spf-discuss/current/
To unsubscribe, change your address, or temporarily deactivate your
subscription,
please go to
http://v2.listbox.com/member/?listname(_at_)©#«Mo\¯HÝÜîU;±¤Ö¤Íµø?¡