On Thu, 2004-05-06 at 09:29, Tony Finch wrote:
I would like to be able to say in SPF for my mail domains
(e.g. cam.ac.uk):
(HELO) No machine may legitimately use this domain as a HELO argument.
(ENV) All sender addresses in this domain are signed and do not have to
come directly from one of my MTA addresses. [There is a LOT of forwarding
in my environment and I cannot break it.]
First, let me make clean that SPF was originally designed to check the
envelope only. HELO checking was added as an optional check later due
to much discussion brought about by Hector, and has slightly different
behavior. Because of this, there is currently no way to define
different policy for the two independently; they both use the same SPF
record for the check. That being said, there used to be a way to meet
your first assertion, assuming the receiving MTA's SPF implementation
supported (or can recognize) your type of message signing:
There were originally a few mechanisms being discussed for such a
purpose, but I believe they've been removed from the spec (for now).
The mechanisms were 'pgp', 'smime', and 'dk', for PGP, S/MIME, and
DomainKeys (respectively). Using these mechanisms (and assuming that
the receiving implementations know what to do with them, your record
would be something like one of these:
cam.ac.uk IN TXT v=spf1 pgp -all
cam.ac.uk IN TXT v=spf1 smime -all
cam.ac.uk IN TXT v=spf1 dk -all
These basically say pass messages that are signed by the respective
methods, and deny anything else. Because your not using an addressing
mechanism (a, mx, etc), your messages are not restricted by address, and
are only denied if they are not signed. You are correct though, without
these mechanisms, you currently cannot make the assertion you outlined
above in SPF, as far as I'm aware. Someone please correct me if I am
wrong.
I would like to be able to say in SPF for my mail servers
(e.g. ppsw-0.csi.cam.ac.uk):
(HELO) Only this machine may use this domain as a HELO argument.
(ENV) No machine sends email from adddresses @ this domain. [Though we
accept email sent to postmaster@ this domain.]
As I mentioned, with current SPF there is no way to define independent
policies for the two separate elements. The closest you could probably
come is this:
ppsw-0.csi.cam.ac.uk IN TXT v=spf1 a:addr.of.the.host -all
This will restrict mail to only be allowed to come from the single host,
and if you don't send mail from that host (as you claim, the domain
sends no mail), this policy should meet that requirement. If that host
does start sending mail from that domain, you may have bigger problems
on your hands (:
Now IF the receiving MTA does SPF checks on HELO, then this will also
restrict the use of the host's hostname in HELO to the single host.
Again, SPF checking the HELO I believe is currently still an optional
check, to be used at the receiving MTs admin's discretion.
Hope this helped, and please feel free to correct me if I am wrong, I've
been a bit behind on keeping up with the spec.
--
Dustin D. Trammell
Vulnerability Remediation Alchemist
Citadel Security Software, Inc.
-------
Sender Policy Framework: http://spf.pobox.com/
Archives at http://archives.listbox.com/spf-discuss/current/
Latest draft at http://spf.pobox.com/spf-draft-200404.txt
Wiki: http://spfwiki.infinitepenguins.net/pmwiki.php/SenderPermittedFrom/
To unsubscribe, change your address, or temporarily deactivate your
subscription,
please go to
http://v2.listbox.com/member/?listname=spf-discuss(_at_)v2(_dot_)listbox(_dot_)com
signature.asc
Description: This is a digitally signed message part