spf-discuss
[Top] [All Lists]

Re: [spf-discuss] Question on a unified policy record approach

2005-09-03 23:58:52
On Sat, Sep 03, 2005 at 06:24:20PM -0400, Stuart D. Gathman wrote:

Since simply conforming to RFC HELO requirements (FQDN that resolves to
connect IP) is a reasonable authentication.

Sorry, must have missed an RFC.  Which RFC dictates that the parameter
to HELO (or EHLO) resolves to the connecting IP ?

Read carefully: you say it has to resolve to the connecting IP.


RFC 2821

para 3.2:

   Once the server has sent the welcoming message and the client has
   received it, the client normally sends the EHLO command to the
   server, indicating the client's identity.

Nothing about IP, it is talking about identity.

para 3.6:

   The domain name given in the EHLO command MUST BE either a primary
   host name (a domain name that resolves to an A RR) or, if the host
   has no name, an address literal as described in section 4.1.1.1.

OK. The address literal has to match.  Primary hostname however does
not (see below).

para 4.1.1.1:

   The [HELO,EHLO] commands are used to identify the SMTP client to the SMTP
   server.  The argument field contains the fully-qualified domain name
   _of_the_SMTP_client_ if one is available.  In situations in which the
   SMTP client system does not have a meaningful domain name (e.g., when
   its address is dynamically allocated and no reverse mapping record is
   available), the client SHOULD send an address literal (see section
   4.1.3), optionally followed by information that will help to identify
   the client system.

Still no support for your statement.

Under no interpretation is "JUPITER" a valid EHLO (or even HELO by 4.1.1.1)
argument.

Correct.

However:

One host. Multiple interfaces. Each interface has its own name:

(I'm using the 10/8 network as example addresses; of course on the
internet other addresses need to be used)

jupiter.example.org       A   10.0.0.1
jupiter-eth1.example.org  A   10.1.0.1
jupiter-qw0.example.org   A   10.2.0.1

Suppose the primary hostname for this box is jupiter.example.org.
Suppose the SMTP connection is made via jupiter-qw0.example.org.
i.e. the connecting client uses address 10.2.0.1

This client (jupiter.example.org) has no choice but to say
"EHLO jupiter.example.org." (or the HELO equivalent).

However, 10.2.0.1 resolves to jupiter-qw0.example.org, not to
jupiter.example.org

Your statement (FQDN that resolves to connect IP) is wrong. It assumes
this client will say "EHLO jupiter-qw0.example.org" but that is simply
not allowed by RFC 2821.

There is a reason the following is included in RFC 2821:
"
  An SMTP server MAY verify that the domain name parameter in the EHLO
  command actually corresponds to the IP address of the client.
  However, the server MUST NOT refuse to accept a message for this
  reason if the verification fails: the information about verification
  failure is for logging and tracing only.
"


Alex

-------
Sender Policy Framework: http://spf.pobox.com/
Archives at http://archives.listbox.com/spf-discuss/current/
To unsubscribe, change your address, or temporarily deactivate your 
subscription, 
please go to 
http://v2.listbox.com/member/?listname=spf-discuss(_at_)v2(_dot_)listbox(_dot_)com

<Prev in Thread] Current Thread [Next in Thread>