OK I think I understand a bit better. I think I was confused by some of
your earlier messages. I thought you were saying "it isn't" when you meant
"it shouldn't be". Apologies for any misunderstanding.
--David <david(_at_)ols(_dot_)es> wrote:
(Sorry for repeating the same point over and over, but I don't think I
have been clear enough before. We need to totally separate the two
questions of "how it works now" and "how it should work in the future".)
the original discussions started as "how it should work in the future",
i know "how it works now" and i don't like it, so when somebody else
proposed to separte helo cheks from spf i agree with him, so now you
could agree with us or not, but trying to convince us that spf is
what it is is a waste of time, all of us know how spf is.
OK, apologies for the misunderstanding. I thought you were asking for more
information about how it works now.
You can. The only limitation right now is that you can't publish
different policies for HELO domain and MAIL FROM: <postmaster(_at_)domain>.
(Or maybe there is... there might be some other macro that could be used
to tell the difference. Frankly nobody has mentioned it as a problem
before so there wasn't a real need to go looking for a second, more
complete solution.)
No, we can't. In our case postmaster can send email but we do not want
anybody to use our domain at the helo, so either we allow anyone to
forge our domain at helo or prohibit postmaster to send mail. So this
does not work, at least for us.
I don't agree with that summary. There are actually three options (the
third being the one you left out).
1. Allow anyone to forge your domain at HELO
2. Don't send mail from postmaster(_at_)domain
3. Restrict your mail sending from postmaster(_at_)domain to those situations
where you know your SPF record works and select a "-all" policy for
postmaster.
You are correct in saying that if you choose not to use -all (at least for
postmaster), then HELO checking can't have a -all either. This is not
optimal, of course. In the original design for SPF, people were expected
to use -all, so this was not really considered as a flaw in the design. Ah
well, the beauty of hindsight!
Thanks again for taking the time to read and reply. :)
gregc
--
Greg Connor <gconnor(_at_)nekodojo(_dot_)org>