On Tue, Sep 06, 2005 at 03:48:50PM -0400, Stuart D. Gathman wrote:
On Tue, 6 Sep 2005, paddy wrote:
On Tue, Sep 06, 2005 at 01:34:46PM -0500, Seth Goodman wrote:
I repeat the question concerning 2821: why REQUIRE SMTP clients to give a
valid FQDN (ignoring address literals, for the moment) and then say SMTP
servers MUST NOT deny connections when the A record doesn't match? That's
like passing a law with two provisions: 1) forgery is illegal and 2) no
governmental entity may prosecute anyone for forgery. Unless I am missing
something, the two provisions appear contradictory and make it essentially
useless. Legitimate mailers will give you their correct FQDN, spammers
will
not, and you MUST accept both. Why bother checking if you can't reject?
Seth,
I have been asking myself similar questions. I came across this:
http://article.gmane.org/gmane.ietf.mxcomp/2707/match=apnic
which may be of some interest.
PTR (reverse DNS) should not be used for email authentication because
it is not under the control of the domain owner.
How is it any more or less under the control of the domain owner than
the A record ?
I have boxes with PTR records set (what I hope is) correctly.
Wasn't hard to do. Certainly felt as much like being in control as
having a DNS domain does ...
Validating EHLO FQDN does not use PTR records.
I'm not sure that validating in 2821 terms is anything more than a
syntax check, but I assume you mean:
An SMTP server MAY verify that the domain name parameter in the EHLO
command actually corresponds to the IP address of the client.
depends on your interpretation.
See my other posts here.
Go and look at implementations.
I'm interested to hear arguments that it _shouldn't_
It simply looks up
the A record for the FQDN (standard name to IP lookup) and checks
that one of the IP addresses for that name is indeed the client IP.
a useful check in itself, albeit at the cost of a dns lookup.
A very, very simple requirement. There really is no excuse not
to meet it. The multi-home example is not a problem because you
can either use a distinct name for each interface, or use one name
for all interfaces.
That's certainly the way it seems to me.
Regards,
Paddy
--
Perl 6 will give you the big knob. -- Larry Wall
-------
Sender Policy Framework: http://spf.pobox.com/
Archives at http://archives.listbox.com/spf-discuss/current/
To unsubscribe, change your address, or temporarily deactivate your
subscription,
please go to
http://v2.listbox.com/member/?listname=spf-discuss(_at_)v2(_dot_)listbox(_dot_)com