On Fri, 10 Dec 2004, william(at)elan.net wrote:
one step further ... I want my domain (ols.es) to have an spf record
like "mx ~all", but i don't want anybody to use ols.es in the hello,
including me (as i always use full hostnames in my hello). How can
I specify this policy ??
Right now you can not, I've made this point on this list before too.
Not exactly true, I posted a suggested workaround for this about week ago.
(Sat Dec 04 9:17) Basically the idea is that when you are checking HELO,
there is no "localpart" (i.e. username) so most implementations use the
string "postmaster" when asked for localpart %{l}.
So the following recipe places a -all restriction on mail from
postmaster(_at_)example(_dot_)com and ?all for all other mail from example.com,
which has
the practical effect of also limiting HELO use of that name.
nekodojo.org. IN TXT "v=spf1 mx ptr redirect=%{l}._spf.nekodojo.org"
postmaster._spf.nekodojo.org. IN TXT "v=spf1 -all"
*._spf.nekodojo.org. IN TXT "v=spf1 ?all"
The part before the redirect= should be whatever your SPF record normally has
in it (a, mx, ptr, ip4, etc). If nothing flags a result by the time it gets
to redirect= it will refuse for postmaster (and helo) and be unknown for
everyone else. (You can also use this to give a specific policy for certain
senders)
Thanks
gregc
--
Greg Connor
gconnor(_at_)nekodojo(_dot_)org
Everyone says that having power is a great responsibility. This is a lot
of bunk. Responsibility is when someone can blame you if something goes
wrong. When you have power you are surrounded by people whose job it is
to take the blame for your mistakes. If they're smart, that is.
-- Cerebus, "On Governing"