From: Graham Murray [mailto:graham(_at_)gmurray(_dot_)org(_dot_)uk]
Sent: Tuesday, September 06, 2005 1:03 AM
"Seth Goodman" <sethg(_at_)GoodmanAssociates(_dot_)com> writes:
From: Alex van den Bogaerdt
[mailto:alex(_at_)ergens(_dot_)op(_dot_)het(_dot_)net]
Sent: Sunday, September 04, 2005 1:58 AM
One host. Multiple interfaces. Each interface has its own name:
(I'm using the 10/8 network as example addresses; of course on the
internet other addresses need to be used)
jupiter.example.org A 10.0.0.1
jupiter-eth1.example.org A 10.1.0.1
jupiter-qw0.example.org A 10.2.0.1
<...>
I think you are missing something VERY important here. It is not
presenting a name which does not belong to it. jupiter.example.org and
jupiter-qw0.example.org are the ONE and the SAME machine.
Sorry, I did miss that. It may change some of the details, but it still
doesn't change my primary point.
<...>
Or are you suggesting that on multi-homes systems that SMTP clients
should use the EHLO name appropriate to the interface which is used to
connect to the server?
That's exactly what I'm suggesting. What is the point of a requirement for
an SMTP client to give its FQDN to an SMTP server while forbidding the
server from rejecting the connection when the FQDN and IP do not match?
While you could provide a partial fix for this by listing _all_ the FQDN's
for the machine under _every_ IP in the reverse DNS zone, that does not
reliably solve the problem. Anyone with control over their rDNS zone could
list your hostname under their IP and masquerade as your domain. That's why
some systems ignore the RFC's and REQUIRE forward and reverse DNS to match.
Saying that SPF can resolve this problem easily is besides the point.
RFC2821 was not written with SPF in mind to close the holes.
I repeat the question concerning 2821: why REQUIRE SMTP clients to give a
valid FQDN (ignoring address literals, for the moment) and then say SMTP
servers MUST NOT deny connections when the A record doesn't match? That's
like passing a law with two provisions: 1) forgery is illegal and 2) no
governmental entity may prosecute anyone for forgery. Unless I am missing
something, the two provisions appear contradictory and make it essentially
useless. Legitimate mailers will give you their correct FQDN, spammers will
not, and you MUST accept both. Why bother checking if you can't reject?
--
Seth Goodman
-------
Sender Policy Framework: http://spf.pobox.com/
Archives at http://archives.listbox.com/spf-discuss/current/
To unsubscribe, change your address, or temporarily deactivate your
subscription,
please go to
http://v2.listbox.com/member/?listname=spf-discuss(_at_)v2(_dot_)listbox(_dot_)com