spf-discuss
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: Possible SPF machine-domain loophole???

2004-02-26 11:12:12
from [Greg Connor] [Permanent Link] 
--Hector Santos <winserver(_dot_)support(_at_)winserver(_dot_)com> wrote:



----- Original Message -----
From: "Greg Connor" <gconnor(_at_)nekodojo(_dot_)org>
To: <spf-discuss(_at_)v2(_dot_)listbox(_dot_)com>
Sent: Thursday, February 26, 2004 12:51 AM
Subject: Re: [spf-discuss] Possible SPF machine-domain loophole???



Did you not agree with the statement "checking HELO is not the design
goal of SPF," or did you not understand it?


No, I uncategorically, without a doubt, do not agree with it.

The client domain name as provided in the HELO/EHLO state of the SMTP
state machine *is very much part* of the SPF function specification
validation logic, alogythm, design goal, etc, etc, etc.

I think it is clear in the specs that "checking HELO is *ONE* of the
design goals of SPF"
I guess we are going to have to agree to disagree on this. I didn't design it, so I can't say first-hand what the design goals were. The best information I can refer to is Meng's statement that checking the HELO was not one of the design goals when he designed it. In other words, I am more inclined to believe the designer himself than to believe your interpretation of the document he wrote.
It seems clear that HELO is *mentioned* in the spec, as a "fallback" or "secondary" means to identify/validate mail from <> - but this seems more a means to an end, or a method/tool, than a "goal".
However, despite our disagreement, I think there are ways to move forward in a way that satisfies your goals as well as the design goals. I have made one such suggestion and I will let Meng comment on whether this is suitable. 



The loophole is again non-null return paths has no provision to even check
for local domain spoofing  which is the *Heart and Soul" f the LMAP based
proposals - to protect YOUR local domains (domains own by the MTA) from
spoofers.
I also reject your premise that "checking for local domain spoofing is the heart and soul of LMAP proposals". I don't think that is supported by any evidence I have seen. If I were to design a tool to protect spoofing of my local domains, to my own local servers, it would be much easier to design and implement than SPF. On the contrary, it seems clear to me that *Remote* or *Third Party* spoofing of my domains is the main objective of any LMAP proposal. 

--
Greg Connor <gconnor(_at_)nekodojo(_dot_)org>
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  General Status of SPF, Laszlo Toth
Next by Date:  Re: Re: Possible SPF machine-domain loophole???, Greg Connor
Previous by Thread:  Re: Possible SPF machine-domain loophole???, Hector Santos
Next by Thread:  Re: Possible SPF machine-domain loophole???, Hector Santos
Indexes:  [Date] [Thread] [Top] [All Lists]