spf-discuss
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: [spf-discuss] NEUTRAL vs NONE for HELO

2006-06-22 04:27:05
from [Alex van den Bogaerdt] [Permanent Link] 
On Wed, Jun 21, 2006 at 10:05:35PM -0400, Scott Kitterman wrote:

As long as host names are not used as primary mail domains, no problem
should occur, I agree with you on that.  But as soon as a host name is
the same as a mail domain and when this mail domain should not result
in a PASS, the host name can also not result in a PASS.


I sometimes get these confused, so help me here.  If mail_domain==hostname, 
then to be RFC 821/2821 compliant are we necessarily talking about a domain 
that sends from a single mail server?


Think of a small provider, being in business since '92 or so, gradually
adding mail servers as soon as they needed.

Zone example.com has three (or more) hosts:
1:  example.com
2:  mail2.example.com
3:  mail3.example.com

Inbound mail works:

example.com.  MX 10 example.com.
example.com.  MX 10 mail2.example.com.
example.com.  MX 10 mail3.example.com.

Outbound mail works as well; each host does have matching A and PTR 
records, no blacklisting, etc.

These people want to publish SPF for their mail domain example.com.
They want to implement the cross-user forgery scenario.

Thus:  example.com TXT "v=spf1 ?a ?mail2.example.com ?mail3.example.com -all"
or maybe:  example.com TXT "v=spf1 ?ip4:192.0.2.0/24 -all"

Eventually they understand they should do something about HELO as well.
This results in two extra SPF records:

mail2.example.com TXT "v=spf1 a -all"
mail3.example.com TXT "v=spf1 a -all"

but not: example.com TXT "v=spf1 a -all"
because that would change the policy for the mail domain "example.com"

If the SPF spec would say HELO _MUST_ result in FAIL or PASS, then
they would rename host "example.com" into "mail1.example.com". But
there was no need for it, as the spec allows NEUTRAL.

Note that this scenario could work for very large providers as well.
The only key factor here is that one host named "example.com".

Alex

-------
Sender Policy Framework: http://www.openspf.org/
Archives at http://archives.listbox.com/spf-discuss/current/
To unsubscribe, change your address, or temporarily deactivate your 
subscription, 
please go to 
http://v2.listbox.com/member/?listname=spf-discuss(_at_)v2(_dot_)listbox(_dot_)com
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  [spf-discuss] Re: Contact page requests going to SPF-discuss, Julian Mehnle
Next by Date:  [spf-discuss] Recent stats on adoption rates?, Dotzero
Previous by Thread:  Re: [spf-discuss] NEUTRAL vs NONE for HELO, wayne
Next by Thread:  Re: [spf-discuss] NEUTRAL vs NONE for HELO, Scott Kitterman
Indexes:  [Date] [Thread] [Top] [All Lists]