spf-discuss
[Top] [All Lists]

Re: Possible SPF machine-domain loophole???

2004-02-24 09:27:02
| That was my idea too. I have no problem with bad HELO strings from 
| misconfigured senders, but I have a problem when someone forges my domain
| in a HELO string. So if someone says "HELO mail.baschny.de", and I have
| 
|   mail.baschny.de. IN TXT "v=spf1 -all"
| 
| this would mean "this host NEVER sends emails", so it should be rejected.

I don't agree with that.  We are talking about "senders" as the mail
from.  My interpretation of that record says that no mail should ever be
acceptable with an envelope sender @mail.baschny.de.  If you machine
wants to send mail (from a crob job throwing an error), it should be
allowed to do so -- it just needs to make sure the envelope sender is
not @mail.baschny.de.

My understanding was that SPF allows you to determine which hosts are
permitted to send mail with envelopes like @domaininquestion.com.  The
above argument says that SPF allows a host to dictate that.  It's
backwards.

Specifically  my email address is not @mail.omniti.com -- so, it would
be reasonable to add a: mail.omniti.com IN TXT "v=spf1 -all" record. As
no legitimate mail should have an envelope sender with the domain
@mail.omniti.com.  But my mail server damn well better be able to send
mail, and it should be able to use mail.omniti.com as it's EHLO
argument...

-- 
// Theo Schlossnagle
// Principal Engineer -- http://www.omniti.com/~jesus/
// Postal Engine -- http://www.postalengine.com/
// Ecelerity: fastest MTA on earth