On Fri, 27 May 2005, John A. Martin wrote:
"william" == william elan net
"Re: Re: Identity codes, plus a new %{x} macro"
Fri, 27 May 2005 08:08:55 -0700 (PDT)
>> How about client IP (not necessarilly the same as any other)?
william> Not sure what you mean.
I mean that the source IP number from the TCP handshake may not match
or point to any of the other identities.
That is what we call SMTP Client IP and is a basis for SPF check.
[and it should match tcp handshake - its pretty hard to spoof tcp
ad if that happens, dealing with it is not something for spf to decide]
Lets distinguish between the terms referring to the SMTP (TCP) client
and the name given in the hello command which as often as not contains
the name of the listening MTA being abused.
I've set some of my servers to reject connection if it comes from anything
other then 127.0.0.1 and EHLO name is same as server name.
In any case SPF will give proper fail, i.e. if you have mail system
mail.example.com and it has ip 192.168.0.1 and it has spf record
mail.example.com. IN SPF "v=spf1 a -all"
mail.example.com. IN A 192.168.0.1
and then you get connection from 192.168.10.10 at mail.example.com and
EHLO is mail.example.com, that would cause SPF FAIL result for HELO check.
>> How about IP for DNS host in helo?
william> That would be covered under helo identity unless you have
william> some special idea about this and can explain why it would
william> be separate identity.
I didn' read "HELO/EHLO smtp client system name" to include the IP
number(s) pointing to thae _name_.
I don't understand you. The identity is something that can have specific
SPF policy associated with it and that reciving mail system can check on
to decide if that name is legitimately used as part of mail transmission.
So to that end, what do you have in mind? Would it be something that
receiving system can see as part of mail transmission? And what kind
of specific set of policies would this be associated with?
--
William Leibzon
Elan Networks
william(_at_)elan(_dot_)net