On Sat, 25 Feb 2006, Hector Santos wrote:
I have been exploring this rule in our SPF implementation with great
success:
result = SPF(MFROM.DOMAIN)
if result in [NEUTRAL, SOFTFAIL] then
if HELO.DOMAIN = MFROM.DOMAIN and
result = FAIL
In other words, if the MACHINE and the SENDER is the same domain, then there
is no reason for a NEUTRAL or SOFTFAIL in the SPF(MFROM.DOMAIN) result.
Any comments about this?
I reject all connections with an SPF record for the HELO name that does
not get a pass. I think this is equivalent to what you are doing -
but happens sooner. I agree that there is absolutely no reason why
the HELO name should not get a pass when there is an SPF record for it.
There are no roaming laptop users that should be using it, etc, etc.
If you combine this with requiring a pass even for "guessed" spf record
"v=spf1 a mx", you essentially require 2821 compliant HELO names with
just a bit of laxness. (But enforcing this last rejects too
many braindead but otherwise legitimate MTAs.)
--
Stuart D. Gathman <stuart(_at_)bmsi(_dot_)com>
Business Management Systems Inc. Phone: 703 591-0911 Fax: 703 591-6154
"Confutatis maledictis, flammis acribus addictis" - background song for
a Microsoft sponsored "Where do you want to go from here?" commercial.
-------
Sender Policy Framework: http://www.openspf.org/
Archives at http://archives.listbox.com/spf-discuss/current/
To unsubscribe, change your address, or temporarily deactivate your
subscription,
please go to
http://v2.listbox.com/member/?listname=spf-discuss(_at_)v2(_dot_)listbox(_dot_)com