----- Original Message -----
From: "Greg Connor" <gconnor(_at_)nekodojo(_dot_)org>
To: <spf-discuss(_at_)v2(_dot_)listbox(_dot_)com>
Sent: Wednesday, February 25, 2004 7:07 PM
Subject: Re: [spf-discuss] Possible SPF machine-domain loophole???
--Hector Santos <winserver(_dot_)support(_at_)winserver(_dot_)com> wrote:
In each case, SPF would by pass the spoofing of the winserver.com
domain.
That is not a badly configured server, but one that is maliciously
spoofing the helo domain by using our local domain, winserver.com
Hector- Thanks for the explanation. I believe a number of other people
on
this list have addressed your concerns more effectively than I could. The
most I could really do is to repeat the statement already made multiple
times: checking HELO is not the design goal of SPF.
Straight from the SPF Draft:
2.2.1 Terms
This section defines important terms. They can be thought of as
variables in an SPF client. It is crucial that they be interpreted
correctly.
It is RECOMMENDED that the <responsible-sender> be drawn from the
envelope using this algorithm:
The <responsible-sender> comes from the domain name of the "MAIL
FROM" envelope sender. When the envelope sender has no domain, a
client MUST use the HELO domain instead. If the HELO argument does
not provide an FQDN, SPF processing terminates with "unknown".
also...
8.3 Conformance with regard to sending e-mail systems
To be considered SPF-conformant, an SMTP sending host MUST resolve a
"pass" for all the SPF-conformant domains for which it sends mail.
When an SMTP host sends a message delivery status notification
message, it MAY use the null envelope sender:
MAIL FROM: <>
The sender host's HELO/EHLO command string MUST include the Fully
Qualified Domain Name of the sender host, and an SPF record MUST
exist for that FQDN for the host to be considered SPF-conformant.
For example: in a transaction with
HELO mx01.example.com
MAIL FROM: <>
an SMTP+SPF receiver will perform an SPF query of the form
mx01.example.com TXT
and expect a result such as
"v=spf1 ptr:example.com -all"
or
"v=spf1 a -all"
You can't have it both ways.
Thanks for your input.
--
Hector Santos, Santronics Software, Inc.
http://www.santronics.com