So your argument is?
SPF + Most MTAs with HELO checks = GOOD system
SPF + MTAs with no HELO checks = BAD system
If so, therefore SPF is dependent on the MTA having a HELO check because if
it doesn't, its a loophole or makes the SPF specification weak.
You can't have it both ways.
Look, this is not about your implementaton with EXIM or my implementation
with Wildcat! We have it solved. It is about getting it right with the
specifications for the next guy who is going to write an SMTP server. You
have to keep in mind that per RFC 2821 alone, HELO/EHLO or MAIL FROM
validation is not an requirement. However, augmenting it with SPF support
makes it a requirement now.
At a mininum, the SPF specification must indicate that a non-NULL return
path presents a loophole scenario and therefore since SPF has not provision
for it, the SMTP server must implement this check on its own.
This is the kind of technical flaws that makes such specifications a bad
reputation and its ashame this is not seen early in this stage before it is
widely adopted and people eventually see it. What is going to happen is
this?
"Hey I'm writing a new SMTP server and I want to add SPF support. some
direction please?"
"Go to http://spf.pobox.com and get the latest specs and btw way, don't
forget to do the HELO/EHLO check in your SMTP server because SPF does not
check for this possible spoofing."
"Huh? I thought that was what SPF was all about? hmmmm, well, ok, thanks
for the heads up."
Thats going to be that common situation, you will see. The kind of
"kludging" we saw in the last 20 years with SMTP that lead us to where we
are at today.
SPF needs at least local domain spoofing logic as part of its functional
algorythm.
--
Hector Santos, Santronics Software, Inc.
http://www.santronics.com
----- Original Message -----
From: "Frank Segtrop" <frank(_dot_)segtrop(_at_)estiem(_dot_)org>
To: <spf-discuss(_at_)v2(_dot_)listbox(_dot_)com>
Sent: Tuesday, February 24, 2004 5:29 AM
Subject: Re: [spf-discuss] the role of the HELO domain
Hi,
I see no need to do HELO check in SPF.
Most MTAs can do that independently already.
Setting "helo_verify_hosts= *" will cause Exim to reject mails when
- the HELO argument is not an ip literal matching the calling address of
host, and
- the host name in the HELO argument does not match a name obtained by a
reverse lookup, and
- a lookup of the hostmname does not yield the calling host address.
Other MTAs have similar settings as well.
Regards,
Frank Segtrop
-------
Sender Policy Framework: http://spf.pobox.com/
Archives at http://archives.listbox.com/spf-discuss/current/
Latest draft at http://spf.pobox.com/spf-draft-20040209.txt
Wiki: http://spfwiki.infinitepenguins.net/pmwiki.php/SenderPermittedFrom/
To unsubscribe, change your address, or temporarily deactivate your
subscription,
please go to
http://v2.listbox.com/member/?listname(_at_)©#�«Mo\¯HÝÜîU;±¤Ö¤Íµø�?¡