spf-discuss
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: [spf-discuss] NEUTRAL vs NONE for HELO

2006-06-21 17:56:35
from [Scott Kitterman] [Permanent Link] 
On Wednesday 21 June 2006 20:28, Alex van den Bogaerdt wrote:

On Wed, Jun 21, 2006 at 11:52:31PM +0200, Alex van den Bogaerdt wrote:

All right, I have a hard time thinking of any useful examples.


OK, what about this one:

Small provider "example" has one host, "example.com".  This host
sends mail for domain "example.com".

They worry about possible cross-user forgery and follow Scott's
advice (I think it is primarily Scott?), publishing:

 "v=spf1 ?example.com -all"

Sure, I agree it will be a minority but it may not be as far
fetched as you think.


Although I may harp on the issue a lot, it's not just me, it's RFC 4408:

http://new.openspf.org/svn/project/specs/rfc4408.html#cross-user-forgery

In the case of a single user domain like you are discussing, I don't think 
cross-user forgery is an issue.

Although there are domains that use the same HELO argument for all their 
servers (hotmail.com comes to mind, IIRC), I don't think that design is 
consistent with the RFCs.  From RFC 2821, para 3.6:

   -  The domain name given in the EHLO command MUST BE either a primary
      host name (a domain name that resolves to an A RR) or, if the host
      has no name, an address literal as described in section 4.1.1.1.

For purists, RFC 821 is similar.  From Para 4.1.1:

         HELLO (HELO)

            This command is used to identify the sender-SMTP to the
            receiver-SMTP.  The argument field contains the host name of
            the sender-SMTP.

So, if a sender is using the same domain name instead of the individual 
hostname to HELO/EHLO for multiple servers, then I believe that they are 
engaging in non-standard behavior.  While as a practical matter a receiver 
may choose to ignore this behavior, I don't think anyone should feel 
obligated to change their practices to support it.

For HELO/EHLO, I think rejecting anything that is not PASS or NONE is an 
entirely reasonable receiver policy from a standards perspective.  I can't 
think of a reasonable scenario where a single standards compliant host should 
not be able to positively identify themselves with a PASS if the sender 
chooses to publish an SPF record for that hostname.

Scott K

-------
Sender Policy Framework: http://www.openspf.org/
Archives at http://archives.listbox.com/spf-discuss/current/
To unsubscribe, change your address, or temporarily deactivate your 
subscription, 
please go to 
http://v2.listbox.com/member/?listname=spf-discuss(_at_)v2(_dot_)listbox(_dot_)com
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: [spf-discuss] NEUTRAL vs NONE for HELO, Alex van den Bogaerdt
Next by Date:  Re: [spf-discuss] NEUTRAL vs NONE for HELO, Alex van den Bogaerdt
Previous by Thread:  Re: [spf-discuss] NEUTRAL vs NONE for HELO, Alex van den Bogaerdt
Next by Thread:  Re: [spf-discuss] NEUTRAL vs NONE for HELO, Alex van den Bogaerdt
Indexes:  [Date] [Thread] [Top] [All Lists]