-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
William Leibzon wrote:
It appears to me the issue may indeed be valid as it relates to that
MTA receiving email from MSA may not want to do HELO check because often
enough the MSA would be on dynamic ip and not associated with mail
server its sending email to.
MSA and MTA are, by definition, within a single logical trusted network,
even if MSA and MTA are not identical (which seems to be your point here).
Thus the MTA should _not_ perform SPF checks on messages received from the
MSA. Issue resolved.
I believe it maybe good idea to add note (where at?) to spf-classic spec
that:
Negative results (SPF Fail) of HELO Identity check MAY be ignored, if
communication is between MSA and MTA and MSA mail client has been
authenticated.
This paragraph is redundant because receivers are _always_ free to ignore
the result of an SPF check. It's receiver policy, after all.
Also this raised the question on when HELO check and rejection in case
of failure should be done. This is because AUTH command maybe issued
and you would not know immediately at EHLO, so it appears the best is
to do HELO and MAILFROM checks together at MAIL FROM or after RCPT TO.
So should we specify that in the spec or hope that implementors get
this point themselve?
We should not specify that, because it's receiver policy. Receivers may
even decide to postpone the MAIL FROM check until after DATA, e.g. to
whitelist messages that do have a valid PGP signature or whatever.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.5 (GNU/Linux)
iD8DBQFChhyIwL7PKlBZWjsRAnxAAKDhaw/PXVZCNdpyZQpiaD50OrGAaQCeNs8m
FLZQXCdTp1ovKiR2vGXoG78=
=25uw
-----END PGP SIGNATURE-----