When commenting on another list in regards to draft-hutzler-spamops-04
somebody very picky named Bruce wrote the following:
| > If that's not good enough for you I recommend that you
| > don't publish a "sender policy".
|
| Associated with which domain -- the one that an MUA puts in HELO/EHLO --
| which comes for the mailbox for *receiving* mail, and which may be
| under control of some third party?
It appears to me the issue may indeed be valid as it relates to that
MTA receiving email from MSA may not want to do HELO check because often
enough the MSA would be on dynamic ip and not associated with mail server
its sending email to.
I believe it maybe good idea to add note (where at?) to spf-classic spec that:
Negative results (SPF Fail) of HELO Identity check MAY be ignored, if
communication is between MSA and MTA and MSA mail client has been
authenticated.
Also this raised the question on when HELO check and rejection in case
of failure should be done. This is because AUTH command maybe issued
and you would not know immediately at EHLO, so it appears the best is
to do HELO and MAILFROM checks together at MAIL FROM or after RCPT TO.
So should we specify that in the spec or hope that implementors get
this point themselve?
--
William Leibzon
Elan Networks
william(_at_)elan(_dot_)net