On Fri, 10 Dec 2004, David wrote:
Hi !!
I also think that because HELO is expected to be hostame that SPF record
should just directly list its ip (or ip block where it is located, but
this ip block should not be as wide as for mail-from) or at most include
reference to one dns lookup (i.e. like mx operator) but no complex
inclusions, references or complex macros that maybe usefull for
some case of MAIL-FROM SPF records.
one step further ... I want my domain (ols.es) to have an spf record
like "mx ~all", but i don't want anybody to use ols.es in the hello,
including me (as i always use full hostnames in my hello). How can
I specify this policy ??
Right now you can not, I've made this point on this list before too.
so, i agree, hello policy must be separated from mail from: policy.
Then , what about having something like this:
ols.es. IN TXT "v=spf1 mx ~all" -> for mail from:
ols.es. In TXT "v=hello -all" -> to prevent hello forgery
a.lon.olsns.net IN TXT "v=hello a -all" -> for my hello's
a.mad.olsns.net IN TXT "v=hello a -all" -> for my hello's
While I do not agree with specifics of how its listed above (i.e "v=hello")
in general I agree and that is reason why I urge SPF community to require
HELO to be in separate scope record. The scoping syntax could be
"SPF2.0/HELO .." or it could be "v=spf1/helo" ot it could be
"v=spf1 sc=h" or it could be "v=spf1 op=hello" - how to do it is
something we should still decide on, but I do urge to have an
"opt-in system" for use of SPF records for HELO checks.
and always make hello checks agains hello records (not only in the
case of the null envelope sender)
Yes, I agree and it should be first step before SPF mail-from check.
This has all been discussed before, see threads on "Unified SPF
Algorithm". And the case of null MAIL-FROM is just one variant of
how unified-spf algorithm would work in special case when one of
the identities is missing data.
--
William Leibzon
Elan Networks
william(_at_)elan(_dot_)net