In <x4br7p2iu8(_dot_)fsf_-_(_at_)footbone(_dot_)schlitt(_dot_)net> wayne wrote:
At this point in time, I think it might be best to post a new message
with anything important that you think I've missed. For example, your
"DNS load summary" post[1] makes a good start, but it is all
assertions, without references to back them up (e.g. links to posts
for each person who took a position on each of those assertions, or
something).
I have been lurking for months via the web archive, and have just signed up
to thow my two cents in. And for my first post, this baboon hurls a large
monkey wrench...
2.1 The HELO Identity
There is a problem here. If the spf record contains a "%{l}" that can
generate a pass (ie +exists:%{l}.%{o}) and a "-all", the helo check would
do a check on exists:postmaster.damain.tld instead of exists:user.domain.tld.
Unless postmaster is expressly permitted, all HELO checks would generate
a fail. If postmaster is permitted, the HELO check resolves to +all.
Postmaster, IMHO, is the one local user that would never be legitimate
outside the machine specified by the "+a" mechanism.
Would it not be appropriate to add:
"If the SPF record contains the %{l} macro and the MAIL FROM identity
is not "<>", the HELO identity MUST NOT be checked due to its
indeterminate nature."
Yes, I use the %{l} to whitelist the two bad users so that I can
use a -all across the 1000+ user domain.
-Mike Elliott