On Sun, Jan 14, 2007 at 11:47:44PM -0600, Seth Goodman wrote:
example.com. A 192.168.0.1
inbound A 192.168.0.2
outbound A 192.168.0.3
www CNAME example.com.
MX 10 inbound.example.com.
For this setup, the web server sends no mail and the outbound relay
HELO's as outbound.example.com. The only time a host would HELO as
example.com is if the web server gets rooted. Unfortunately, the
implicit a: would authorize the web server to send mail
No !!!
The SPF record for example.com would be "v=spfX ip4:192.168.0.3 -all"
and thus 192.168.0.1 is NOT authorized to send mail. It would only
be authorized to say HELO example.com
HELO example.com
220 hello, example.com
MAIL FROM:<any(_at_)example(_dot_)com>
550 Sender address refused, please see
http://www.openspf.org/why?id=any(_at_)example(_dot_)com&ip=192.168.0.1
Of course the error could be delayed to after RCPT TO or even directly
after DATA. Point is, MAIL FROM is not allowed for hostname example.com as
the implicit +a would only count for HELO.
Forbidding the host with FQDN example.com to say HELO example.com would
serve no purpose.
Alex
-------
Sender Policy Framework: http://www.openspf.org/
Archives at http://archives.listbox.com/spf-discuss/current/
To unsubscribe, change your address, or temporarily deactivate your
subscription,
please go to http://v2.listbox.com/member/?list_id=735