spf-discuss
[Top] [All Lists]

Proposal: the "properties" modifier

2004-10-20 00:17:48
Hi all, here's an idea inspired by articles from Hector, Meng,
Scott, and William:  

6.3  p: properties

   properties = "p=" name *( "," name )

   The p modifier introduces a comma-separated list of properties.
   New properties can be defined in additional documents in the
   same way as new modifiers.

   An initial set of properties is defined below:
   "hector", "meng", "scott", and "william".

6.3.1  The "hector" property

   The "hector" property indicates, that the FQDN given in a HELO
   or EHLO command is always sent by one the IPs permitted by the
   sender policy for this domain.

   Note that this is already required for an empty return path as
   specified in [2.1].  The "hector" property allows to reject all
   mails in a SMTP dialogue, if the sender policy of the FQDN given
   in the HELO or EHLO does not permit the IP of the SMTP client.

6.3.2  The "meng" property

   The "meng" property is only used by trusted forwarders.  This
   trust has to be pre-arranged between the client (forwarder)
   and affected servers (destinations).

   If a receiver recognizes the FQDN of a trusted forwarder in a
   HELO or EHLO, it verifies its IP as specified for the similar
   "hector" property (6.3.1).  If the "meng" property is present
   in the corresponding sender policy, all further SPF checks for
   the SMTP session are disabled.

   A forwarder specifying the "meng" property MUST implement SPF
   checks for all forwarded mails.  It MUST NOT forward mails to
   destinations without prior arrangement, if that could result
   in a SPF "Fail".

   Without prior arrangement a forwarder with the "meng" property
   MUST either use a sender rewriting scheme, or reject the mail
   with error code 551.  For details about error 551 see [STD 10]
   and [RfC 2821].

   If a forwarder with the "meng" property is also a MSA, then it
   MUST enforce submission rights as sepecified in [RfC 2476].

6.3.3  The "scott" property

   The "scott" property indicates that no other user of mailers
   resulting in a "Pass" can forge any addresses covered by the
   sender policy.  This is often the case for MSAs as defined in
   [RfC 2476], but many MSAs and smart hosts still allow to use
   any MAIL FROM after a succesful authentication.

   For details about enforced submission rights see [RfC 2476].

6.3.4  The "william" property

   The "william" property is used, if the address found in one of
   the mail header fields Resent-Sender, Resent-From, Sender, or
   From in this order as defined by [STD 11] always matches the
   MAIL FROM mailbox address defined by [STD 10].

   The "william" property can be used by MUAs to identify the
   responsible sender in a mail after their border MTA verified
   the MAIL FROM address with SPF and inserted a corresponding
   Return-Path into the header.

   The "william" property allows to split the responsibilities
   of SPF tests at the receiver between MSA and MUA in different
   ways, and its main purpose is to prevent "phishing" attempts.

   The "william" property SHOULD NOT be used in sender policies,
   if affected users cannot disable it individually.  Some MUAs,
   MSAs, and mailing lists enforce valid MAIL FROM addresses, but
   don't enforce a corresponding address in a mail header field.



<Prev in Thread] Current Thread [Next in Thread>