spf-discuss
[Top] [All Lists]

Re: Latest proposal re HELO checking: make HELO tests optional

2004-03-06 16:59:03
So, I would highly recommend against converting softfail into fail.
Doing so will cause publishers of SPF records to be reluctant to use
softfail.  If they could confidently state that the message was a
forgery, they would have used fail, not softfail.

--David <david(_at_)ols(_dot_)es> wrote:
that's clear when you test the envelope sender. Now let's supose that
you want to spf-test a HELO argument and you get 'softfail', it's
almost sure that the domain owner has used softfail to avoid breaking
forwarding. In the other hand it has nosense to allow any unknow host
to use your domain in the HELO, but as you are not able to specify a
softfail for envelope sender tests and a fail for helo's ,maybe a
softfail could be safely 'converted' to a fail when testing helo's.


I understand the reasons why you might want to specify a tighter, more restrictive policy on HELO than on MAIL FROM with regard to your domain. Here's another example: what if your own mail servers HELO with mail1.example.com and mail2.example.com, and NO servers should ever HELO with just "example.com". It's overloading the "example.com" SPF record to use it for both.

However, I had made the suggestion NOT to add more complexity to the SPF record, to NOT make HELO handling different from MAIL FROM handling, for two reasons. First, because HELO is an add-on option, it is not really the true reason for SPF to be created, it's a fallback mode designed for MAIL FROM: <> that MAY have some usefulness for other mail, but I don't think it's worth confusing people more by adding stuff to the language.

Second, I think there are ways to get around the issue by using macros. Here is an example. Let's say my SPF record is:

 example.com.   IN   TXT   "v=spf1 ptr a mx ~all"

That gives a softfail for everything not from my designated sources, so nothing ever completely fails. I could alter this slightly to add an exists lookup and an extra A record:

example.com. IN TXT "v=spf1 ptr a mx -exists:%{l}.restricted.example.com ~all"
 postmaster.restricted.example.com.   IN   A   127.0.0.2

This is basically saying "Just about anybody *might* send mail from anywhere, but not as postmaster. If postmaster(_at_)example(_dot_)com is ever used for outgoing mail, it should only be accepted based on "ptr a mx"

And this would block HELO usage as well (since HELO checking uses "postmaster" as the local part).

Now, granted, this is not an elegant solution, but the times when you would want to restrict HELO more tightly than MAIL FROM are probably rare enough, that a macro-based solution is probably better than altering the SPF language, or altering the way softfail works, at this point.

feedback appreciated :)

gregc

--
Greg Connor <gconnor(_at_)nekodojo(_dot_)org>