Ah! I am gratified to see that we agree on more points than we disagree :)
--Ernesto Baschny <ernst(_at_)baschny(_dot_)de> wrote:
I don't see how checking an bogus HELO can make you lose legitimate mail.
I understand that there are lots of non-sense HELO strings like PC12343,
mailer.local, or "localhost", but none of those will fail any SPF check,
since there is no SPF record for those domains.
I'm sure you are right. It is pretty unlikely that someone setting up his
mailserver stuck in "microsoft.com" for the name. I'm just being
ultra-paranoid about it since I don't have much real world data.
3. We are already recommending to people that mail servers have their
own SPF records, so bounce messages from those servers can be
validated, we are just (optionally!) widening the range of
applicability of those checks. Therefore, I don't think we really need
to change the spec to add scope=helo. If the existing spec works, use
it. In other words, it is opt-in for the receiver, but we are not
giving the sender a choice, since we have already told them to set up
mail server records.
The problem without the "scope" is that you mix the configuration of
HELO hostnames and MAIL FROM domains. There is no way to declare one
thing for "MAIL FROM:<bogus(_at_)baschny(_dot_)de>" and another thing for
"HELO baschny.de". In most cases the same policy would apply, but I
can imagine that someone will come up with a case where this is not
true. Maybe we should wait to see if such a case appears?
Even with "scope=" I understand that there is no way to create a
differentiated policy for HELO and MAIL FROM checks. With the limited
syntax possibilities I also don't see any way around it.
For most users, I think "MAIL FROM:<user(_at_)baschny(_dot_)de>" and "HELO baschny.de"
could probably be covered by the same SPF record. It's probably the same
policy for most. The way this would really limit you is that you can't
make the HELO policy MORE restrictive than the normal SPF policy.
Most of the time your real mail servers will not call themselves HELO
baschny.de anyway, so you would consult the SPF record for
"mail2.baschny.de" or whatever the HELO name was. Maybe "HELO baschny.de"
is *always* a forgery... but you can hopefully use the normal SPF policy to
cover this; in other words, you state that "mx" and "ptr:serverdienst.net"
are allowed to say this (though they never will, you trust them :) and
other servers are not allowed.
Anyway, it should be quite easy to implement because we have already
implemented it for the case of MAIL FROM: <> - just apply the same logic to
any/all HELO lines.
--
Greg Connor <gconnor(_at_)nekodojo(_dot_)org>