spf-discuss
[Top] [All Lists]

Re: [spf-discuss] Question on a unified policy record approach

2005-09-06 01:06:15
Graham,

At 12:03 AM 9/6/2005, Graham Murray wrote:
"Seth Goodman" <sethg(_at_)GoodmanAssociates(_dot_)com> writes:

>> From: Alex van den Bogaerdt 
[mailto:alex(_at_)ergens(_dot_)op(_dot_)het(_dot_)net]
>> Sent: Sunday, September 04, 2005 1:58 AM
>> One host. Multiple interfaces. Each interface has its own name:
>>
>> (I'm using the 10/8 network as example addresses; of course on the
>> internet other addresses need to be used)
>>
>> jupiter.example.org       A   10.0.0.1
>> jupiter-eth1.example.org  A   10.1.0.1
>> jupiter-qw0.example.org   A   10.2.0.1
>>
>> Suppose the primary hostname for this box is jupiter.example.org.
>> Suppose the SMTP connection is made via jupiter-qw0.example.org.
>> i.e. the connecting client uses address 10.2.0.1
>>
>> This client (jupiter.example.org) has no choice but to say
>> "EHLO jupiter.example.org." (or the HELO equivalent).
>>
>> However, 10.2.0.1 resolves to jupiter-qw0.example.org, not to
>> jupiter.example.org

> What I think is appropriate here is that jupiter.example.org submit
> its mail to jupiter-qw0.example.org for relay (or gatewaying, if you
> prefer) to the internet.  While the operators of example.org may
> find this a minor inconvenience, we can no longer condone EHLO FQDN
> forgery.  By acting as a non-vigilant pass-through proxy,
> jupiter-qw0.example.org is the machine committing forgery.  It is
> presenting the SMTP EHLO command to a server using a FQDN that does
> not belong to it.

Sorry about quoting so much.

I think you are missing something VERY important here. It is not
presenting a name which does not belong to it. jupiter.example.org and
jupiter-qw0.example.org are the ONE and the SAME machine. They are the
A (and PTR) record names for 2 interfaces on the one multi-homed
system. So jupiter is _not_ submitting its mail to jupiter-qw0 for
relaying, it is always using an EHLO of 'jupiter.example.org'
irrespective of which interface it actually uses to connect to the
remote SMTP server.

Or are you suggesting that on multi-homes systems that SMTP clients
should use the EHLO name appropriate to the interface which is used to
connect to the server?

If I may interject. In your example, it seems like there are several IP addresses tied to one system that is doing SMTP services. No problem.

If each interface sends a HELO with the reverse of the IP for its interface and that is in turn checkable via a DNS lookup, I'm really not sure what the problem would be.

In other words,
HELO jupiter.example.org would have an A to 10.0.0.1 and 10.0.0.1 would have a PTR to jupiter.example.org HELO jupiter-eth1.example.org would have an A to 10.1.0.1 and 10.1.0.1 would have a PTR to jupiter-eth1.example.org
etc.

If this is the case, I would think that there should be no problem in doing a HELO check. If this is not the case and all of the IPs use the HELO jupiter.example.org, then perhaps the SPF record could be checked to confirm the IP is valid for the variations of Jupiter (in other words, checking for TXT records for each of the variations and making note of the IPs that Jupiter could also be in its TXT record).

I'm probably missing something here. If so, sorry to be obtuse and please clue me in.

Best,

Alan Maitland
WebMaster(_at_)Commerco(_dot_)Net
The Commerce Company - Making Commerce Simple(sm)
http://WWW.Commerco.Com/



-------
Sender Policy Framework: http://spf.pobox.com/
Archives at http://archives.listbox.com/spf-discuss/current/
To unsubscribe, change your address, or temporarily deactivate your subscription, please go to http://v2.listbox.com/member/?listname=spf-discuss(_at_)v2(_dot_)listbox(_dot_)com

<Prev in Thread] Current Thread [Next in Thread>