Re: Re: SPF HELO checking

Thanks for taking the time to reply.

--David <david(_at_)ols(_dot_)es> wrote:

> Hi !!
>
> > 1. HELO checking is already a part of all SPF implementations we are
> > aware of.  It has been part of the spec for over a year.  The discussion
> > is not whether to add it, but how do we live with it.
> yes, but it's mainly for the case of the null nevelope sender
Correct, it was originally for null return address.  Enough people 
expressed an interest in using SPF for HELO checking that it was built into 
many SPF checkers as an optional feature that can be turned on by the admin.
> and it's
> not possible right now to specify separated policies for mail from and
> helo for the same domain.
Not true, but since you already know about the "postmaster" workaround, you 
already know this.

>  > We can do them
>  > separately in the next version (Unified SPF).
>
> i really do not belive in spf unified, to be realistic i will prefer
> separeted protocols for each check (mailfrom, helo, from: and message
> content)

I understand what you are saying.  My point is that BOTH of us are 
proposing an idea for the future that handles this more elegantly.  Whether 
it is unified SPF with different scopes like spf2.0/helo or a v=helo 
record, neither of these exist now.
When it comes time to decide "where to go from here" and "what to do 1 year 
from now" let's talk about whether Unified or Separate is better.
For NOW, what I am trying to explain is that HELO checking in SPF already 
exists.  Now.  SPF v1 is already up and running and it has this feature in 
it.  Before we talk about the future, let's establish and agree on what is 
in the code right now and actually running on most if not all SPF checkers.
Where we are NOW should not be a subject of much debate, because it's 
incredibly easy to observe and measure.  Let's make sure we agree about 
where SPF is now, today, at this moment, and then we can have long 
discussions about the future and where to go from here.
Where we are NOW is:
 SPF checks MAIL FROM, and HELO sometimes, and HELO all the time if you 
turn on the switch.
 The same record is used in both contexts which is usually what you want
 It is possible to specify different policies with a %{l} macro, if needed.

You started this discussion by asking "How do I do this" and I answered: 
this is how.  I didn't expect to get disagreement about how things are now. 
I just answered, assuming it was an honest question.  I am now not sure if 
you are disagreeing with me about how things actually are now, or if you 
are just making suggestions for the future.

> > If they publish using -all they are protected anyway.
> but this breaks forwarding.

I understand why you say this but I don't agree with it.  I publish -all 
for my personal domain.  I don't see a problem with doing so.  If people 
want their mail forwarded, they can make accomodations for it, such as 
using trusted-forwarder white list or their own white list.
Some of SPF's critics (most notably David Woodhouse) have said over and 
over and over that "-all breaks forwarding".  I don't agree with that 
generalization.  People checking SPF really need to be aware of forwarding, 
and use whitelists, but senders should not avoid -all just out of fear that 
some receivers will do it wrong.  Receivers who do it wrong should fix 
their own problem, not blame it on people publishing -all.

> > 3. For the case where you really need a different policy for both, there
> > is a workaround: specify a -all policy only when the username is
> > "postmaster" and a ~all for all other usernames.
> and what about policies for postmaster itself ?

For those people who send mail from postmaster, AND that mail might come 
from other sources not specified in the SPF record, AND they want their 
HELO name protected, are not going to be able to get everything they want. 
Either they need to control the mail coming from postmaster, or use a 
different return address for that particular mail, so that the postmaster 
record can end with -all.  They have to choose.
Recognize that we are already talking about a minority within a minority. 
MOST domains can express a single record that covers their MAIL FROM and 
HELO usage.  Of those that can't, MOST will be OK with restricting outbound 
mail coming from "postmaster" as a workaround.  This is very, very 
different from saying "You can't do it".

> all of this is just a patch, a workaround, a way to do something with
> a tool that has not been designed to do that, not something well
> designed SPS is designed to protect the mail from, trying to
> desesperatelly use it for anything is not the way to go.
Again, I didn't mean to get into a philosophical debate about the "right" 
way to do things.  I am describing the WAY THINGS REALLY ARE TODAY.  I 
totally agree that there is a more elegant way to deal with it coming in 
the future, but that hasn't been invented yet.  When it is, your comments 
about it will probably turn out to be right.
HELO checking in SPF EXISTS NOW TODAY.  It's not doing something the tool 
hasn't been designed to do, it is running code on a large number of 
domains.  It's not trying desparately to be something it isn't -- it just 
IS.  It's not "the way to go" -- it's the way it actually WENT.
(Sorry for repeating the same point over and over, but I don't think I have 
been clear enough before.  We need to totally separate the two questions of 
"how it works now" and "how it should work in the future".)

> If we need
> a way to check the helo we are in the moment we can develop a simple
> and functional protocol. We can also overload spf. My experience both
> as a programmer and sysadmin tells me that is better to have small
> well designed pieces than one big and complex piece that tries to
> deal with everything.

That sounds fine.  Hopefully you will stay active on the list and be around 
to contribute when it comes time to discuss the next major revision.  I 
look forward to talking about the future with you.

> > Footnote:  By the way, "soft fail" ~all is actually quite a bit newer
> > than HELO checking :)
> i supose you are kidding ...

No, not at all.  More existing SPF checkers support HELO checking than soft 
fail.  It's all in the archives.

> > If everyone could just publish -all then
> > HELO checking would work as originally intended.
> no, it will be only because you can publish -all, not because you can
> publish different policies for helo and mailfrom.
You can.  The only limitation right now is that you can't publish different 
policies for HELO domain and MAIL FROM: <postmaster(_at_)domain>.  (Or maybe 
there is... there might be some other macro that could be used to tell the 
difference.  Frankly nobody has mentioned it as a problem before so there 
wasn't a real need to go looking for a second, more complete solution.)
Thanks for taking the time to read.
gregc

--
Greg Connor <gconnor(_at_)nekodojo(_dot_)org>