spf-discuss
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: Outstanding draft issues that I've missed

2005-05-05 20:10:19
from [wayne] [Permanent Link] 
In <200505060255(_dot_)j462tZV5033235(_at_)rod(_dot_)msen(_dot_)com> Michael 
Elliott <elliott(_at_)rod(_dot_)msen(_dot_)com> writes:


In <x4br7p2iu8(_dot_)fsf_-_(_at_)footbone(_dot_)schlitt(_dot_)net> wayne 
wrote:

At this point in time, I think it might be best to post a new message
with anything important that you think I've missed.  For example, your
"DNS load summary" post[1] makes a good start, but it is all
assertions, without references to back them up (e.g. links to posts
for each person who took a position on each of those assertions, or
something).



I have been lurking for months via the web archive, and have just signed up
to thow my two cents in.  And for my first post, this baboon hurls a large
monkey wrench...

2.1 The HELO Identity

There is a problem here.  If the spf record contains a "%{l}" that can 
generate a pass (ie +exists:%{l}.%{o}) and a "-all", the helo check would
do a check on exists:postmaster.damain.tld instead of exists:user.domain.tld.
Unless postmaster is expressly permitted, all HELO checks would generate
a fail.  If postmaster is permitted, the HELO check resolves to +all.
Postmaster, IMHO, is the one local user that would never be legitimate 
outside the machine specified by the "+a" mechanism.


This is only true of the domain owner uses the same domain name for
email addresses and as HELO domain names.

For example, let's look at pobox.com:

  (wayne(_at_)footbone) $ dig pobox.com txt +short
  pobox.com.            3600    IN      TXT     "v=spf1 mx 
mx:fallback-relay.%{d} a:webmail.%{d} a:smtp.%{d} a:outgoing.smtp.%{d} 
a:discard-reports.%{d} a:discards.%{d} mx:stor" "e.discard.%{d} a:emerald.%{d} 
redirect=%{l1r+}._at_.%{o}._spf.%{d}"
  (wayne(_at_)footbone) $ dig postmaster._at_.pobox.com._spf.pobox.com txt 
+short
  postmaster._at_.pobox.com._spf.pobox.com. 600 IN TXT "v=spf1 -all"

So, pobox.com uses %{l} and denies any email claiming to be
from postmaster.  However, since it pobox.com uses domain names such
as orb.pobox.com as their HELO domain, this isn't a problem.


Now, microsoft's hotmail, uses the "hotmail.com" domain name for both
email addresses *and* HELO domains.  As a result, they can't use %{l}
macros without running into the problems you mentioned.


I think this is something that domain owners can choose to deal with.
I don't think this is the kind of semantics that we should change at
this stage of the game.


-wayne
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: The (almost) final SPFv1 spec: draft-schlitt-spf-classic-01pre5, Frank Ellermann
Next by Date:  Re: -01pre5 (was: -01pre4), Alex van den Bogaerdt
Previous by Thread:  Re: Outstanding draft issues that I've missed (was: HELO versus MAILFROM results), Michael Elliott
Next by Thread:  Re: Outstanding draft issues that I've missed, william(at)elan.net
Indexes:  [Date] [Thread] [Top] [All Lists]