spf-discuss
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

RE: Architectural issues with the SPF specification

2005-01-05 06:44:00
from [Julian Mehnle] [Permanent Link] 
Greg Connor [gconnor(_at_)nekodojo(_dot_)org] wrote:

Julian Mehnle <bulk(_at_)mehnle(_dot_)net> wrote:

1. Suggest "HELO domain" instead of "HELO mx.domain".


I am not sure what the prior RFCs have to say about this specifically,
but my general impression is that the HELO name should be a hostname.
My understanding was that the HELO name should identify the specific
server.


RFC 2821 says it should be a hostname, and I certainly do not intend to
change that.  Although "HELO domain" would generally be more useful than
"HELO mx.domain" from an architectural point of view, I do recognize that
this would be a major incompatible change to the e-mail system which would
break most mail software, so I refrain from suggesting that.

What I want to say is that _if_ "domain" already is a hostname for the MTA
(or can be made so without problems), then the MTA should say "HELO
domain" instead of "HELO mx.domain".  The prerequisite is already
satisfied for many small sites.


2. HELO checking and MAIL FROM checking.


Agreed.  I like the second one better, though we shouldn't be
heavy-handed about saying "HELO should be used for X"... maybe more
passive like "If HELO is a domain name with an SPF record, it can be
checked in this way." As in, we generally expect it to be used in a
certain way, but we're not mandating it.

If what we say here is a conflict with RFC 2821, that's OK, but we
should say explicitly what provisions of 2821 are intentionally
deprecated.


No, RFC 2821 already strictly requires HELO to be either a FQDN or an IP
address literal in section 3.6:

| -  The domain name given in the EHLO command MUST BE either a primary
|    host name (a domain name that resolves to an A RR) or, if the host
|    has no name, an address literal as described in section 4.1.1.1.

This is also somewhat implicitly noted in the current SPF spec in sections
2.1 and 2.4, but should be made more explicit, i.e. "malformed" HELO
strings should be declared broken as per RFC 2821.  Also, de facto SPF
does not enforce this because a malformed HELO string results in "None",
which allows forgers to say "HELO non-existent-subdomain.debian.org, MAIL
FROM: <>" and not get caught.  But a strict interpretation of RFC 2821
actually allows banning such behavior, so why is the SPF spec reluctant to
do so?


Basically I would like the spec to pave the way for HELO checking, but
not specifically require it. [...]


Ok, so why exactly don't you want to require HELO checking?
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: [draft-schlitt-spf-classic] Small change in Received-SPF heade, Stephane Bortzmeyer
Next by Date:  RE: [draft-schlitt-spf-classic] Small change in Received-SPF heade, Julian Mehnle
Previous by Thread:  Re: Architectural issues with the SPF specification, Greg Connor
Next by Thread:  Re: Architectural issues with the SPF specification, John A. Martin
Indexes:  [Date] [Thread] [Top] [All Lists]