spf-discuss
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: [spf-discuss] Question on a unified policy record approach

2005-09-06 12:59:39
from [Terry Fielder] [Permanent Link] 


paddy wrote:

On Tue, Sep 06, 2005 at 01:34:46PM -0500, Seth Goodman wrote:


That's exactly what I'm suggesting.  What is the point of a requirement for
an SMTP client to give its FQDN to an SMTP server while forbidding the
server from rejecting the connection when the FQDN and IP do not match?
While you could provide a partial fix for this by listing _all_ the FQDN's
for the machine under _every_ IP in the reverse DNS zone, that does not
reliably solve the problem.  Anyone with control over their rDNS zone could
list your hostname under their IP and masquerade as your domain.  That's why
some systems ignore the RFC's and REQUIRE forward and reverse DNS to match.
Saying that SPF can resolve this problem easily is besides the point.
RFC2821 was not written with SPF in mind to close the holes.

I repeat the question concerning 2821:  why REQUIRE SMTP clients to give a
valid FQDN (ignoring address literals, for the moment) and then say SMTP
servers MUST NOT deny connections when the A record doesn't match?  That's
like passing a law with two provisions:  1) forgery is illegal and 2) no
governmental entity may prosecute anyone for forgery.  Unless I am missing
something, the two provisions appear contradictory and make it essentially
useless.  Legitimate mailers will give you their correct FQDN, spammers will
not, and you MUST accept both.  Why bother checking if you can't reject?



Seth,

I have been asking myself similar questions.  I came across this:

http://article.gmane.org/gmane.ietf.mxcomp/2707/match=apnic

which may be of some interest.

Regards,
Paddy


Um, reverse lookups are cachable, correct?
And are there any major MTA's that don't already do a reverse lookup for logging purposes (sendmail and postfix do, I don't have any Exchange servers so cannot test that one).
So if the majority of major MTA's already do a reverse lookup for logging purposes how is the load likely to increase drastically with the deployment of a new module (e.g. SPF) that checks for the reverse? 

Am I missing something (or just uninformed  :)?


--
Terry Fielder
terry(_at_)greatgulfhomes(_dot_)com
Associate Director Software Development and Deployment
Great Gulf Homes / Ashton Woods Homes
Fax: (416) 441-9085

-------
Sender Policy Framework: http://spf.pobox.com/
Archives at http://archives.listbox.com/spf-discuss/current/
To unsubscribe, change your address, or temporarily deactivate your subscription, please go to http://v2.listbox.com/member/?listname=spf-discuss(_at_)v2(_dot_)listbox(_dot_)com
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: [spf-discuss] Question on a unified policy record approach, Stuart D. Gathman
Next by Date:  Re: [spf-discuss] Question on a unified policy record approach, paddy
Previous by Thread:  Re: [spf-discuss] Question on a unified policy record approach, paddy
Next by Thread:  Re: [spf-discuss] Question on a unified policy record approach, paddy
Indexes:  [Date] [Thread] [Top] [All Lists]