spf-discuss
[Top] [All Lists]

Re: Sending mail from dynamic IP-addresses with dynamic PTR hostnames, but constant EHLO/HELO hostnames

2005-05-25 13:36:08
On 25/05/05, Julian Mehnle <bulk(_at_)mehnle(_dot_)net> wrote:

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Constantine A. Murenin wrote:
Is there a way to utilise the EHLO/HELO hostname, which is provided by
the MTA in the greetings part of smtp? I.e., I want to say that every
MTA that claims to have a hostname of format *.example.name, provided
that the domain resolves to the MTA's IP-address, is permitted to send
my mail. That is much more simple and straightforward, isn't it? :-)
And it does not reveal the structure of my network to strangers, does
it?

You could use:

v=spf1 a a:home.example.name <http://home.example.name> -all

If you do NOT want to expose "home.example.name <http://home.example.name>" 
in your SPF record, you
have to set up a custom DNS server for the domain "_spf.example.name" that
publishes an "A" record for the current dynamic IP address (let's assume
71.0.x.y) of your home MTA:

y.x.0.71._spf.example.name IN A 127.0.0.1 <http://127.0.0.1>

That exact "A" record would be difficult to find by someone who knows
neither your dynamic IP address nor the corresponding host name ("home.
example.name <http://example.name>"). Your SPF record could then read:

v=spf1 a exists:%{ir}._spf.example.name -all

If you cannot set up a your own DNS server for "_spf.example.name" that
dynamically adjusts the "A" record to your IP address, you are out of
luck.

Alternatively, DynDNS.org <http://DynDNS.org> could extend their services 
and publish such an
"A" record for their customers, for instance under the domain "_spf.
customers.dyndns.org <http://customers.dyndns.org>". Then you could use 
"exists:%{ir}._spf.customers.
dyndns.org <http://dyndns.org>" instead.


What about macros with "h = HELO/EHLO domain"? How could I set it to test if 
the HELO/EHLO domain resolves to an ip-address of the connected client, 
along with the testing that the domain is in the
example.name<http://example.name>zone?

Constantine.

-------
Sender Policy Framework: http://spf.pobox.com/
Archives at http://archives.listbox.com/spf-discuss/current/
Read the whitepaper!  http://spf.pobox.com/whitepaper.pdf
To unsubscribe, change your address, or temporarily deactivate your 
subscription, 
please go to 
http://v2.listbox.com/member/?listname=spf-discuss(_at_)v2(_dot_)listbox(_dot_)com
<Prev in Thread] Current Thread [Next in Thread>