On Thu, 6 May 2004, Tony Finch wrote:
I would like to be able to say in SPF for my mail domains
(e.g. cam.ac.uk):
(HELO) No machine may legitimately use this domain as a HELO argument.
(ENV) All sender addresses in this domain are signed and do not have to
come directly from one of my MTA addresses. [There is a LOT of forwarding
in my environment and I cannot break it.]
Sorry about the late reply to this thread, but this may help.
For HELO I believe it is possible to differentiate the HELO policy from the
MAIL FROM, using macros that access the localpart %{l}. During the HELO
phase, there is no localpart, so I believe %{l} will contain "postmaster".
So, checking for HELO cam.ac.uk would be the same as checking for MAIL FROM:
<postmaster(_at_)cam(_dot_)ac(_dot_)uk>. (I don't have a browser on this
machine, so could
someone confirm or deny this?)
If that is true, and you don't normally send mail FROM postmaster(_at_)$domain
then
you could do something like the following:
cam.ac.uk. IN TXT "v=spf1 a mx -exists:%{l}.restricted.spf.cam.ac.uk ?all"
postmaster.restricted.spf.cam.ac.uk. IN A 127.0.0.2
This would, I think, prevent mailing from postmaster(_at_)cam(_dot_)ac(_dot_)uk
and also
prevent other mail servers from claiming HELO cam.ac.uk.
As for accepting only signed return addresses, that could probably be done
with local part checking as well but it's a little harder. One idea would be
to log all the SES addresses for outgoing mail, and add them to the DNS as
valid localparts for a short time. The more elegant solution would be to use
a custom DNS server that is capable of verifying the signature and returning
IN A 127.0.0.1 for the ones that check out.
v=spf1 a mx +exists:%{l}.oksenders.%{d} -all
In that case the localpart should be acceptable no matter what mailserver has
passed the message... but a crafty forger could find a message FROM you and
copy the SES part to send more mail apparently from you. Probably this would
be best used in conjunction with rate limiting and timeout so that the same
SES could be checked 5-7 times and then invalidated or something. (As a side
effect you also have queries coming in to help you track where the mail is
going, if you bother to log them)
I wonder... have we inadvertenly hit on something that might address
forwarding without requiring the middle agent to use SRS? The combination of
SES and %{l} is not as foolproof as actually checking the IP, and you would
need a rather specialized DNS server to understand SES and rate limiting...
but it is possible to construct a signing system with SES and SPF, and that
would create a solution that puts the cost burden on the sender, not the
forwarder. Something to think about, anyway... perhaps it would make a good
interim solution for some sites that don't want to wait for forwarders to
become SRS-compliant.
In my examples I put +a +mx before the exists: so that the exists: check need
only be done if the message is not coming from your server directly.
In your second case where you want your mail server to be allowed to HELO with
that name, but disallow MAIL FROM that domain, it's similar... you could
use the reverse logic to allow mail from postmaster(_at_)$helo_domain and the
result would be to allow HELO but not MAIL FROM (unless the mail is from
postmaster). However, if you have control of the server and you are confident
that it won't send out inappropriate mail, just go with an a: mechanism; that
is easier... only that server will be able to use the name, period, and if the
name is being used inappropriately, you know exactly where to look and fix :)
--
Greg Connor
gconnor(_at_)nekodojo(_dot_)org
Everyone says that having power is a great responsibility. This is a lot
of bunk. Responsibility is when someone can blame you if something goes
wrong. When you have power you are surrounded by people whose job it is
to take the blame for your mistakes. If they're smart, that is.
-- Cerebus, "On Governing"