On Tue, 6 Sep 2005, paddy wrote:
On Tue, Sep 06, 2005 at 01:34:46PM -0500, Seth Goodman wrote:
I repeat the question concerning 2821: why REQUIRE SMTP clients to give a
valid FQDN (ignoring address literals, for the moment) and then say SMTP
servers MUST NOT deny connections when the A record doesn't match? That's
like passing a law with two provisions: 1) forgery is illegal and 2) no
governmental entity may prosecute anyone for forgery. Unless I am missing
something, the two provisions appear contradictory and make it essentially
useless. Legitimate mailers will give you their correct FQDN, spammers will
not, and you MUST accept both. Why bother checking if you can't reject?
Seth,
I have been asking myself similar questions. I came across this:
http://article.gmane.org/gmane.ietf.mxcomp/2707/match=apnic
which may be of some interest.
PTR (reverse DNS) should not be used for email authentication because
it is not under the control of the domain owner.
Validating EHLO FQDN does not use PTR records. It simply looks up
the A record for the FQDN (standard name to IP lookup) and checks
that one of the IP addresses for that name is indeed the client IP.
A very, very simple requirement. There really is no excuse not
to meet it. The multi-home example is not a problem because you
can either use a distinct name for each interface, or use one name
for all interfaces.
--
Stuart D. Gathman <stuart(_at_)bmsi(_dot_)com>
Business Management Systems Inc. Phone: 703 591-0911 Fax: 703 591-6154
"Confutatis maledictis, flamis acribus addictis" - background song for
a Microsoft sponsored "Where do you want to go from here?" commercial.
-------
Sender Policy Framework: http://spf.pobox.com/
Archives at http://archives.listbox.com/spf-discuss/current/
To unsubscribe, change your address, or temporarily deactivate your
subscription,
please go to
http://v2.listbox.com/member/?listname=spf-discuss(_at_)v2(_dot_)listbox(_dot_)com