spf-discuss
[Top] [All Lists]

Re: HELO vs. envelope checks

2004-05-16 23:09:39
On Thu, 6 May 2004, Tony Finch wrote:

I would like to be able to say in SPF for my mail domains
(e.g. cam.ac.uk):

(HELO) No machine may legitimately use this domain as a HELO argument.

(ENV) All sender addresses in this domain are signed and do not have to
come directly from one of my MTA addresses. [There is a LOT of forwarding
in my environment and I cannot break it.]


Sorry about the late reply to this thread, but this may help.  

For HELO I believe it is possible to differentiate the HELO policy from the 
MAIL FROM, using macros that access the localpart %{l}.  During the HELO 
phase, there is no localpart, so I believe %{l} will contain "postmaster".  
So, checking for HELO cam.ac.uk would be the same as checking for MAIL FROM: 
<postmaster(_at_)cam(_dot_)ac(_dot_)uk>.  (I don't have a browser on this 
machine, so could 
someone confirm or deny this?)

If that is true, and you don't normally send mail FROM postmaster(_at_)$domain 
then 
you could do something like the following:

cam.ac.uk.  IN  TXT  "v=spf1 a mx -exists:%{l}.restricted.spf.cam.ac.uk ?all"
postmaster.restricted.spf.cam.ac.uk. IN A 127.0.0.2

This would, I think, prevent mailing from postmaster(_at_)cam(_dot_)ac(_dot_)uk 
and also 
prevent other mail servers from claiming HELO cam.ac.uk.


As for accepting only signed return addresses, that could probably be done 
with local part checking as well but it's a little harder.  One idea would be 
to log all the SES addresses for outgoing mail, and add them to the DNS as 
valid localparts for a short time.  The more elegant solution would be to use 
a custom DNS server that is capable of verifying the signature and returning 
IN A 127.0.0.1 for the ones that check out.
   v=spf1 a mx +exists:%{l}.oksenders.%{d} -all
In that case the localpart should be acceptable no matter what mailserver has 
passed the message... but a crafty forger could find a message FROM you and 
copy the SES part to send more mail apparently from you.  Probably this would 
be best used in conjunction with rate limiting and timeout so that the same 
SES could be checked 5-7 times and then invalidated or something.  (As a side 
effect you also have queries coming in to help you track where the mail is 
going, if you bother to log them)

I wonder... have we inadvertenly hit on something that might address 
forwarding without requiring the middle agent to use SRS?  The combination of 
SES and %{l} is not as foolproof as actually checking the IP, and you would 
need a rather specialized DNS server to understand SES and rate limiting... 
but it is possible to construct a signing system with SES and SPF, and that 
would create a solution that puts the cost burden on the sender, not the 
forwarder.  Something to think about, anyway... perhaps it would make a good 
interim solution for some sites that don't want to wait for forwarders to 
become SRS-compliant.

In my examples I put +a +mx before the exists: so that the exists: check need 
only be done if the message is not coming from your server directly.


In your second case where you want your mail server to be allowed to HELO with 
that name, but disallow MAIL FROM that domain, it's similar... you could 
use the reverse logic to allow mail from postmaster(_at_)$helo_domain and the 
result would be to allow HELO but not MAIL FROM (unless the mail is from 
postmaster).  However, if you have control of the server and you are confident 
that it won't send out inappropriate mail, just go with an a: mechanism; that 
is easier... only that server will be able to use the name, period, and if the 
name is being used inappropriately, you know exactly where to look and fix :)

--
Greg Connor
gconnor(_at_)nekodojo(_dot_)org

Everyone says that having power is a great responsibility.  This is a lot
of bunk.  Responsibility is when someone can blame you if something goes
wrong.  When you have power you are surrounded by people whose job it is
to take the blame for your mistakes.  If they're smart, that is. 
                -- Cerebus, "On Governing"