On Wednesday 21 June 2006 21:22, Alex van den Bogaerdt wrote:
On Wed, Jun 21, 2006 at 08:55:37PM -0400, Scott Kitterman wrote:
For HELO/EHLO, I think rejecting anything that is not PASS or NONE is an
entirely reasonable receiver policy from a standards perspective. I
can't think of a reasonable scenario where a single standards compliant
host should not be able to positively identify themselves with a PASS if
the sender chooses to publish an SPF record for that hostname.
I think I just gave such an example. Do you think that scenario is
unreasonable? (n.b.: I was *not* discussing a single user host!)
OK. I missed that part.
As long as host names are not used as primary mail domains, no problem
should occur, I agree with you on that. But as soon as a host name is
the same as a mail domain and when this mail domain should not result
in a PASS, the host name can also not result in a PASS.
I sometimes get these confused, so help me here. If mail_domain==hostname,
then to be RFC 821/2821 compliant are we necessarily talking about a domain
that sends from a single mail server?
This is a slight disadvantage SPF has; HELO and MAIL FROM share the
same space. This won't matter in many cases, but many is not all.
Agreed.
You write:
"... if the sender chooses to publish an SPF record for that hostname."
They don't. They choose to publish an SPF record for that email domain.
It just happens to be the same as the host's name. Some people will
not even know about their HELO, others will analyse the situation and
consider it to be all right because they can live with NEUTRAL being
returned.
If HELO should always return {PASS, FAIL or NONE}, then this should be in
the spec. Currently it is OK to return NEUTRAL, people publishing such
a record rely on receivers to follow the spec.
Anyone can do anything with their mail. I (we?) just want to avoid
seeing calls from people following the spec yet find their mail rejected
because someone (Stuart, or anyone else) uses an SPF record for something
it was not designed for.
I agree that what Stuart is doing should not be described as an SPF rejection.
Actually, if you look at RFC 4408, I do not believe that it advises rejecting
messages anywhere. The rejection is actually based on local policy. I think
better semantics would be something like SPF_HELO_Result=Neutral, message
rejected due to local policy. An extended version might also say local
policy require HELO names with SPF records to PASS.
I think there's not a big difference between rejecting HELO and rejecting
MAIL FROM in these situations. In both cases the receiver does something
the domain owner did not intend.
Agreed. Actually, it just ocurred to me that the one piece of receiver policy
left from the early specs in RFC 4408 is:
"A 'Neutral' result MUST be treated exactly like the 'None' result; the
distinction exists only for informational purposes."
Based on that, I withdraw my earlier remark. Unless Stuart rejects all
messages where the SPF HELO/EHLO result is NONE, he MUST not reject if the
SPF HELO/EHLO result is NEUTRAL. While, as a practical matter, what he is
doing is OK, it's contrary to a MUST in the RFC. I absolutely agree that
non-standard behavior like this should be discouraged.
Sorry Stuart,
Scott K
-------
Sender Policy Framework: http://www.openspf.org/
Archives at http://archives.listbox.com/spf-discuss/current/
To unsubscribe, change your address, or temporarily deactivate your
subscription,
please go to
http://v2.listbox.com/member/?listname=spf-discuss(_at_)v2(_dot_)listbox(_dot_)com