spf-discuss
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: Possible SPF machine-domain loophole???

2004-02-24 09:41:24
from [Ernesto Baschny] [Permanent Link] 
On 24 Feb 2004 at 11:27, Theo Schlossnagle wrote:


| That was my idea too. I have no problem with bad HELO strings from 
| misconfigured senders, but I have a problem when someone forges my domain
| in a HELO string. So if someone says "HELO mail.baschny.de", and I have
| 
|   mail.baschny.de. IN TXT "v=spf1 -all"
| 
| this would mean "this host NEVER sends emails", so it should be rejected.


I don't agree with that.  We are talking about "senders" as the mail
from.  My interpretation of that record says that no mail should ever be
acceptable with an envelope sender @mail.baschny.de.  If you machine
wants to send mail (from a crob job throwing an error), it should be
allowed to do so -- it just needs to make sure the envelope sender is
not @mail.baschny.de.


When talking about the HELO string, we are not talking about "sender"
(email adress) but "sending machine" (hostname). This is how SPF already
checks bounces in the absense of an return path (MAIL FROM:<>). The new
idea in this thread is to also check the HELO string when its not a
bounce (DSN).


My understanding was that SPF allows you to determine which hosts are
permitted to send mail with envelopes like @domaininquestion.com.  The
above argument says that SPF allows a host to dictate that.  It's
backwards.


My view is that SPF should allow me to determine how my domain or
subdomain can be used in a SMTP communication (I consider the MAIL FROM
and HELO information to be "sender" information, one is the return 
path, the other the sending client name).


Specifically  my email address is not @mail.omniti.com -- so, it would
be reasonable to add a: mail.omniti.com IN TXT "v=spf1 -all" record. As
no legitimate mail should have an envelope sender with the domain
@mail.omniti.com.  But my mail server damn well better be able to send
mail, and it should be able to use mail.omniti.com as it's EHLO
argument...


To do that, you specify:
 
  mail.omniti.com IN TXT "v=spf1 a -all"

The 'a' mechanism tells the receiver that a HELO with this string coming
from an IP that mail.omniti.com resolves to is OK, so your mailserver
still can send emails, while no other sender will be able to forge 
mail.omniti.com in the HELO string.

That's already the recommended way of adding SPF records to your
MX-servers (check the Wizard at http://spf.pobox.com/). This is already
being used to check the HELO string, but only on DSNs.


-- 
Ernesto Baschny <ernst(_at_)baschny(_dot_)de>
 http://www.baschny.de - PGP: http://www.baschny.de/pgp.txt
 Sao Paulo/Brasil - Stuttgart/Germany
 Ernst(_at_)IRCnet - ICQ# 2955403
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: Possible SPF machine-domain loophole???, Theo Schlossnagle
Next by Date:  Re: Possible SPF machine-domain loophole???, Ernesto Baschny
Previous by Thread:  Re: Possible SPF machine-domain loophole???, Theo Schlossnagle
Next by Thread:  Re: Possible SPF machine-domain loophole???, Greg Connor
Indexes:  [Date] [Thread] [Top] [All Lists]