spf-discuss
[Top] [All Lists]

Re: [spf-discuss] Question on a unified policy record approach

2005-09-04 10:08:56
On Sun, 4 Sep 2005, Alex van den Bogaerdt wrote:

However:

One host. Multiple interfaces. Each interface has its own name:

(I'm using the 10/8 network as example addresses; of course on the
internet other addresses need to be used)

jupiter.example.org       A   10.0.0.1
jupiter-eth1.example.org  A   10.1.0.1
jupiter-qw0.example.org   A   10.2.0.1

Suppose the primary hostname for this box is jupiter.example.org.
Suppose the SMTP connection is made via jupiter-qw0.example.org.
i.e. the connecting client uses address 10.2.0.1

This client (jupiter.example.org) has no choice but to say
"EHLO jupiter.example.org." (or the HELO equivalent).

However, 10.2.0.1 resolves to jupiter-qw0.example.org, not to
jupiter.example.org

The PTR records are irrelevant.  We are only talking about
the EHLO name resolving to the connect ip, NOT the connect ip
resolving to the EHLO name.

The A records ought to look like:

jupiter.example.org       A   10.0.0.1
jupiter.example.org       A   10.1.0.1
jupiter.example.org       A   10.2.0.1
jupiter-eth1.example.org  A   10.1.0.1
jupiter-qw0.example.org   A   10.2.0.1

and then the EHLO is compliant with my reading of the RFC.

PTR records are irrelevant for EHLO.

Your statement (FQDN that resolves to connect IP) is wrong. It assumes
this client will say "EHLO jupiter-qw0.example.org" but that is simply
not allowed by RFC 2821.

No it doesn't, see above.

There is a reason the following is included in RFC 2821:
"
  An SMTP server MAY verify that the domain name parameter in the EHLO
  command actually corresponds to the IP address of the client.
  However, the server MUST NOT refuse to accept a message for this
  reason if the verification fails: the information about verification
  failure is for logging and tracing only.
"

Exactly.  This confirms my interpretation that EHLO is SUPPOSED to
correspond with the connect ip.   Currently, I never refuse a
connection based *only* on invalid EHLO.  However, I do insist 
on some sort of valid id.  I accept a valid EHLO, an SPF PASS, or a
valid non-dynamic PTR.  I do reject connections that can't provide
any of the above.  I should also accept a valid SRV record ala CSV/CSA,
but those guys (all 5 of them) can be expected to provide a valid EHLO
as well.

-- 
              Stuart D. Gathman <stuart(_at_)bmsi(_dot_)com>
    Business Management Systems Inc.  Phone: 703 591-0911 Fax: 703 591-6154
"Confutatis maledictis, flamis acribus addictis" - background song for
a Microsoft sponsored "Where do you want to go from here?" commercial.

-------
Sender Policy Framework: http://spf.pobox.com/
Archives at http://archives.listbox.com/spf-discuss/current/
To unsubscribe, change your address, or temporarily deactivate your 
subscription, 
please go to 
http://v2.listbox.com/member/?listname=spf-discuss(_at_)v2(_dot_)listbox(_dot_)com

<Prev in Thread] Current Thread [Next in Thread>