On Fri, 18 Jun 2004 16:37:55 -0400, Meng Weng Wong wrote: in
Use Case 3: dialup ISP
example.net is an ISP with a web server, a dialin pool, and
an MX pool. This is an example that begins to approach the
complexity seen in the real world.
Web server:
example.net A 192.0.2.1
192.0.2.1 PTR example.net
www.example.net A 192.0.2.1
Dialin pool:
3-20.dialin.example.net A 192.0.3.20
192.0.3.20 PTR 3-20.dialin.example.net
3-21.dialin.example.net A 192.0.3.21
192.0.3.21 PTR 3-21.dialin.example.net
3-22.dialin.example.net A 192.0.3.22
192.0.3.22 PTR 3-22.dialin.example.net
3-23.dialin.example.net A 192.0.3.23
192.0.3.23 PTR 3-23.dialin.example.net
MX pool:
example.net MX 10 a.mx.example.net
a.mx.example.net A 192.0.2.10
192.0.2.10 PTR a.mx.example.net
example.net MX 11 b.mx.example.net
b.mx.example.net A 192.0.2.11
192.0.2.11 PTR b.mx.example.net
Dialin users are expected to configure their MUAs to send
mail through smtp.example.net.
smtp.example.net A 192.0.2.10
smtp.example.net A 192.0.2.11
When mail is sent, in the common case,
192.0.2.10 sends mail with
HELO a.mx.example.net
MAIL FROM:<user(_at_)example(_dot_)net>
From: <user(_at_)example(_dot_)net>
192.0.2.11 sends mail with
HELO b.mx.example.net
MAIL FROM:<user(_at_)example(_dot_)net>
From: <user(_at_)example(_dot_)net>
* * *
SPF Classic
SPF Classic requires these four SPF records:
example.net TXT "v=spf1 a mx -all"
www.example.net TXT "v=spf1 a -all"
a.mx.example.net TXT "v=spf1 a -all"
b.mx.example.net TXT "v=spf1 a -all"
The first is the important one; the second is there to
prevent spoofing of the www address; the third and fourth
are for HELO fallback, for when a.mx and b.mx need to send
NDNs with null MAIL FROM:<>.
* * *
"Am I an MTA Or Not?": MTAMark / Selective Sender
MTAMark asks that network owners indicate whether an IP
address is an MTA or not. SPF-used-as-MTAMark would require
these additional records to cover the dialin pool:
3-20.dialin.example.net TXT "v=spf1 -all"
3-21.dialin.example.net TXT "v=spf1 -all"
3-22.dialin.example.net TXT "v=spf1 -all"
3-23.dialin.example.net TXT "v=spf1 -all"
Personally, I don't think the above should be necessary. I
think that if you get mail from a return-path that has only
an A record and neither an MX record nor an SPF record, you
should assume that it's not meant to be an MTA. This rule
subsumes the MTAMark semantic.
<snip>
I disagree, with your proposed rule above for return-path
without an MX or SPF, but with A (and matching PTR I assume)
The RFC I can't quote off the top of my head, but I thought
that a receiving MTA (and therefore sending MTA) could get away
with just an A record for the Domain (giving a weight of 0), if
no MX was declared.
More importantly though are bounce messages from domains
without any SPF, since it may be an outbound only MTA, ie A
record matching HELO, but no matching MX or SPF.
IMHO for the moment, all A and MX records need to have a SPF
TXT record to declare the owner's policy for the IP to which
they refer.
Regards
Karl.P
______________________________________________________________
Email via Mailtraq4Free from Enstar (www.mailtraqdirect.co.uk)