spf-discuss
[Top] [All Lists]

Re: Possible SPF machine-domain loophole???

2004-02-29 16:55:19
--On Sonntag, Februar 29, 2004 16:08:42 -0500 Theo Schlossnagle <jesus(_at_)omniti(_dot_)com> wrote:
[...]
Maybe someone can explain to me why this is an issue at all.  If we are
in here mucking with the MTA anyway (for SPF) why don't we just mandate
that the MTA does away with putting the domain in the Received header
like that.

Because RFC2821 states the exact opposite:

  -  The FROM field, which MUST be supplied in an SMTP environment,
     SHOULD contain both (1) the name of the source host as presented
     in the EHLO command and (2) an address literal containing the IP
     address of the source, determined from the TCP connection.

 It seems to me (looking at the ABNF for trace headers in RFC
2821) that we could be completely compliant by _always_ using the IP
address that connected:

On page 51, we see:

Extended-Domain = Domain /
            ( Domain FWS "(" TCP-info ")" ) /
            ( Address-literal FWS "(" TCP-info ")" )

This is just because the client could use either an FQDN or an address
literal - you on the other hand have to record exactly what the client
sent you (and you may put any additional info into comments).

Ralf