Re: Re: SPF HELO checking
2004-12-11 11:30:22
Thanks for taking the time to reply.
--David <david(_at_)ols(_dot_)es> wrote:
Hi !!
1. HELO checking is already a part of all SPF implementations we are
aware of. It has been part of the spec for over a year. The discussion
is not whether to add it, but how do we live with it.
yes, but it's mainly for the case of the null nevelope sender
Correct, it was originally for null return address. Enough people
expressed an interest in using SPF for HELO checking that it was built into
many SPF checkers as an optional feature that can be turned on by the admin.
and it's
not possible right now to specify separated policies for mail from and
helo for the same domain.
Not true, but since you already know about the "postmaster" workaround, you
already know this.
> We can do them
> separately in the next version (Unified SPF).
i really do not belive in spf unified, to be realistic i will prefer
separeted protocols for each check (mailfrom, helo, from: and message
content)
I understand what you are saying. My point is that BOTH of us are
proposing an idea for the future that handles this more elegantly. Whether
it is unified SPF with different scopes like spf2.0/helo or a v=helo
record, neither of these exist now.
When it comes time to decide "where to go from here" and "what to do 1 year
from now" let's talk about whether Unified or Separate is better.
For NOW, what I am trying to explain is that HELO checking in SPF already
exists. Now. SPF v1 is already up and running and it has this feature in
it. Before we talk about the future, let's establish and agree on what is
in the code right now and actually running on most if not all SPF checkers.
Where we are NOW should not be a subject of much debate, because it's
incredibly easy to observe and measure. Let's make sure we agree about
where SPF is now, today, at this moment, and then we can have long
discussions about the future and where to go from here.
Where we are NOW is:
SPF checks MAIL FROM, and HELO sometimes, and HELO all the time if you
turn on the switch.
The same record is used in both contexts which is usually what you want
It is possible to specify different policies with a %{l} macro, if needed.
You started this discussion by asking "How do I do this" and I answered:
this is how. I didn't expect to get disagreement about how things are now.
I just answered, assuming it was an honest question. I am now not sure if
you are disagreeing with me about how things actually are now, or if you
are just making suggestions for the future.
If they publish using -all they are protected anyway.
but this breaks forwarding.
I understand why you say this but I don't agree with it. I publish -all
for my personal domain. I don't see a problem with doing so. If people
want their mail forwarded, they can make accomodations for it, such as
using trusted-forwarder white list or their own white list.
Some of SPF's critics (most notably David Woodhouse) have said over and
over and over that "-all breaks forwarding". I don't agree with that
generalization. People checking SPF really need to be aware of forwarding,
and use whitelists, but senders should not avoid -all just out of fear that
some receivers will do it wrong. Receivers who do it wrong should fix
their own problem, not blame it on people publishing -all.
3. For the case where you really need a different policy for both, there
is a workaround: specify a -all policy only when the username is
"postmaster" and a ~all for all other usernames.
and what about policies for postmaster itself ?
For those people who send mail from postmaster, AND that mail might come
from other sources not specified in the SPF record, AND they want their
HELO name protected, are not going to be able to get everything they want.
Either they need to control the mail coming from postmaster, or use a
different return address for that particular mail, so that the postmaster
record can end with -all. They have to choose.
Recognize that we are already talking about a minority within a minority.
MOST domains can express a single record that covers their MAIL FROM and
HELO usage. Of those that can't, MOST will be OK with restricting outbound
mail coming from "postmaster" as a workaround. This is very, very
different from saying "You can't do it".
all of this is just a patch, a workaround, a way to do something with
a tool that has not been designed to do that, not something well
designed SPS is designed to protect the mail from, trying to
desesperatelly use it for anything is not the way to go.
Again, I didn't mean to get into a philosophical debate about the "right"
way to do things. I am describing the WAY THINGS REALLY ARE TODAY. I
totally agree that there is a more elegant way to deal with it coming in
the future, but that hasn't been invented yet. When it is, your comments
about it will probably turn out to be right.
HELO checking in SPF EXISTS NOW TODAY. It's not doing something the tool
hasn't been designed to do, it is running code on a large number of
domains. It's not trying desparately to be something it isn't -- it just
IS. It's not "the way to go" -- it's the way it actually WENT.
(Sorry for repeating the same point over and over, but I don't think I have
been clear enough before. We need to totally separate the two questions of
"how it works now" and "how it should work in the future".)
If we need
a way to check the helo we are in the moment we can develop a simple
and functional protocol. We can also overload spf. My experience both
as a programmer and sysadmin tells me that is better to have small
well designed pieces than one big and complex piece that tries to
deal with everything.
That sounds fine. Hopefully you will stay active on the list and be around
to contribute when it comes time to discuss the next major revision. I
look forward to talking about the future with you.
Footnote: By the way, "soft fail" ~all is actually quite a bit newer
than HELO checking :)
i supose you are kidding ...
No, not at all. More existing SPF checkers support HELO checking than soft
fail. It's all in the archives.
If everyone could just publish -all then
HELO checking would work as originally intended.
no, it will be only because you can publish -all, not because you can
publish different policies for helo and mailfrom.
You can. The only limitation right now is that you can't publish different
policies for HELO domain and MAIL FROM: <postmaster(_at_)domain>. (Or maybe
there is... there might be some other macro that could be used to tell the
difference. Frankly nobody has mentioned it as a problem before so there
wasn't a real need to go looking for a second, more complete solution.)
Thanks for taking the time to read.
gregc
--
Greg Connor <gconnor(_at_)nekodojo(_dot_)org>
<Prev in Thread] |
Current Thread |
[Next in Thread>
|
- RE: SPF HELO checking, (continued)
- Re: SPF HELO checking, David
- Re: SPF HELO checking, Alex van den Bogaerdt
- Re: SPF HELO checking, Greg Connor
- Re: SPF HELO checking, David
- Re: SPF HELO checking, Frank Ellermann
- Re: Re: SPF HELO checking, David
- Re: Re: SPF HELO checking, Greg Connor
- Re: Re: SPF HELO checking, David
- Re: Re: SPF HELO checking,
Greg Connor <=
- Re: Re: SPF HELO checking, David
- Re: Re: SPF HELO checking, Greg Connor
- Re: Re: SPF HELO checking, David
- Re: Re: SPF HELO checking, Stuart D. Gathman
- Re: SPF HELO checking, wayne
- Re: SPF HELO checking, David
- Re: SPF HELO checking, Greg Connor
- Re: SPF HELO checking, David
- Re: SPF HELO checking, william(at)elan.net
- Re: SPF HELO checking, David
|
|
|