On Wed, 2004-02-25 at 10:45 +0000, Mark wrote:
Ok; but that is not an SPF issue; let alone an alleged weakness therein.
Indeed. It's just something which SPF could usefully be extended to
check. In fact makes far _more_ sense in this universe, right now, to
tie HELO to coming from certain IP addresses than it does MAIL FROM:<>
I'd be interested in a way to declare that
for _any_ HELO argument inside infradead.org, you should accept _only_
if there's an A or AAAA record which points back to the connecting host.
A sensible precaution; and I do the same; but not at the location in the
Milter where I do SPF checks (earlier even). I just see such instance as an
other, SPF-unrelated, spam-indicator which gives me a nice early out, before
I even have to make an SPF query.
I'm not sure you mean the same thing. I really mean what I said -- I
want a way to declare to the world that 'HELO *.infradead.org' may only
come from my hosts; to avoid my name appearing in HELO elsewhere.
You seem to be saying that you implement stricter HELO checking
_without_ my input. That's a sane choice too, but sometimes gets false
positives when genuine setups have incompetently run DNS or Microsoft
MTAs.
In particular, if you refused to accept a HELO argument from anyone
without a suitable PTR record which points back to the same name, you'd
refuse my IPv6 hosts, since the 2002::/16 6to4 range doesn't have
working reverse DNS (yet?).
Or if you refuse to accept 'HELO XXX' from anything where 'XXX' isn't a
valid A or AAAA record pointing back the the connecting host, you'll
also get many false positives with MS MTAs which use their NETBIOS
machine name.
SRS0 is not broken; SRS1 still has the outstanding issue, I believe, on
whether some sort of a verification callout should be made on the reversed
SRS0 address. I do not think it was decided yet. :)
Callouts won't fix it; SRS1 is only really broken in the case where the
callout would succeed -- that's when it really _can_ be used as an open
relay.
I suppose you could do a callout and check it will accept _only_ bounces
and not 'real' mail.... but we're definitely getting further and further
from ideas which real people are actually going to implement in the real
world, making it ubiquitous enough for SPF to be deployable.
And we digress; that topic doesn't belong on this list. My point was
just that if SPF supports a mechanism to limit HELO to coming from
certain IP addresses, it would be useful if one could publish such a
record without _any_ chance that hosts would also start checking that
MAIL FROM: the same domain is _also_ limited to those same IP addresses.
--
dwmw2