Alex van den Bogaerdt wrote on Monday, January 15, 2007 12:39 AM -0600:
On Sun, Jan 14, 2007 at 11:47:44PM -0600, Seth Goodman wrote:
example.com. A 192.168.0.1
inbound A 192.168.0.2
outbound A 192.168.0.3
www CNAME example.com.
MX 10 inbound.example.com.
For this setup, the web server sends no mail and the outbound relay
HELO's as outbound.example.com. The only time a host would HELO as
example.com is if the web server gets rooted. Unfortunately, the
implicit a: would authorize the web server to send mail
No !!!
The SPF record for example.com would be "v=spfX ip4:192.168.0.3 -all"
and thus 192.168.0.1 is NOT authorized to send mail. It would only
be authorized to say HELO example.com
If 192.168.0.1 issues a HELO command it obviously is connected to an
SMTP server and is trying to send mail. Is there some use case for
allowing a host to issue a HELO command but not send mail?
HELO example.com
220 hello, example.com
MAIL FROM:<any(_at_)example(_dot_)com>
550 Sender address refused, please see
http://www.openspf.org/why?id=any(_at_)example(_dot_)com&ip=192.168.0.1
Of course the error could be delayed to after RCPT TO or even directly
after DATA. Point is, MAIL FROM is not allowed for hostname
example.com as the implicit +a would only count for HELO.
Forbidding the host with FQDN example.com to say HELO example.com
would serve no purpose.
The purpose is to tell recipients that any machine that HELO's with
example.com, whether the IP reverses to that hostname or not, is not
authorized to send mail for _any_ domain. You can't reliably do that
with SPFv1 because HELO checking at the recipient is optional. What
serves no purpose is authorizing a machine that sends no mail to connect
to a foreign SMTP server and to HELO.
--
Seth Goodman
-------
Sender Policy Framework: http://www.openspf.org/
Archives at http://archives.listbox.com/spf-discuss/current/
To unsubscribe, change your address, or temporarily deactivate your
subscription,
please go to http://v2.listbox.com/member/?list_id=735