spf-discuss
[Top] [All Lists]

Re: [spf-discuss] Re: How does one distinguish between authorizing MAIL FROM and HELO

2007-01-29 08:59:19
On Mon, Jan 29, 2007 at 10:33:01AM -0500, John A. Martin wrote:


I'm afraid again I was unclear or confused.  The question is for a
setup where the MAIL FROM uses a collective domain as in
<local-part(_at_)example(_dot_)com> and the outgoing SMTP relays use their 
FQDNs
in their HELO commands.  To simplify, assume a single outbound relay
and

    >>         example.com.        TXT "v=spf1 ip4:192.168.0.1 -all"
    >>         host1.example.com.  TXT "v=spf1 ip4:192.168.0.1 -all"

A connection from the host with address 192.168.0.1:

SMTP session:  HELO host1.example.com
SPF:
- fetch the record at host1.example.com
- result: "v=spf1 ip4:192.168.0.1 -all"
- compare: "ip4:192.168.0.1" against 192.168.0.1 -> MATCH
- use prefix "+" (implicit here)
- return PASS
SMTP session:  MAIL FROM:<user(_at_)example(_dot_)com>
SPF:
- fetch the record at example.com
- result: "v=spf1 ip4:192.168.0.1 -all"
- compare: "ip4:192.168.0.1" against 192.168.0.1 -> MATCH
- use prefix "+" (implicit here)
- return PASS

A connection from another IP address:

SMTP session:  HELO host1.example.com
SPF:
- fetch the record at host1.example.com
- result: "v=spf1 ip4:192.168.0.1 -all"
- compare: "ip4:192.168.0.1" against 192.168.0.10 -> no match
- compare: "all" against 192.168.0.10 -> MATCH
- use prefix "-" (explicit here)
- return FAIL
SMTP can stop here


A slightly more complicated example:

Connection from 192.168.0.1

  example.com.        TXT "v=spf1 ip4:192.168.0.0/24 -all"
  host1.example.com.  TXT "v=spf1 a -all"
  host1.example.com   A   192.168.0.10            <-- 10, not 1

SMTP session:  HELO host1.example.com
SPF:
- fetch the record at host1.example.com
- result: "v=spf1 a -all"
- get A record for host1.example.com
- result: 192.168.0.10
- compare: 192.168.0.10 against 192.168.0.1 -> FAIL
- compare: "all" against 192.168.0.1 -> MATCH
- use prefix "-" (explicit here)
- return FAIL

(n.b. the record for host1.example.com is shorter, but more work has
to be done!)

Other example:
Connection from 192.168.0.1

  example.com.        TXT "v=spf1 ip4:192.168.0.0/24 -all"
  host1.example.com.  TXT "v=spf1 ip4:192.168.0.1 -all"
  example.org.        TXT "v=spf1 ip4:172.16.1.2 -all"

SMTP session:  HELO host1.example.com
SPF:
- fetch the record at host1.example.com
- result: "v=spf1 ip4:192.168.0.1 -all"
- compare: "ip4:192.168.0.1" against 192.168.0.1 -> MATCH
- use prefix "+" (implicit here)
- return PASS
SMTP session:  MAIL FROM:<user(_at_)example(_dot_)org>    <-- Note:  ORG, not 
com
SPF:
- fetch the record at example.org
- result: "v=spf1 ip4:172.16.1.2 -all"
- compare: "ip4:172.16.1.2" against 192.168.0.1 -> FAIL
- compare: "all" against 192.168.0.10 -> MATCH
- use prefix "-" (explicit here)
- return FAIL



Hostnames "example.com" and "mail2.example.com" upto mail254.example.com.
Mail domain "example.com"

 example.com.       A    192.168.0.1
 mail2.example.com. A    192.168.0.2
 mail3.example.com. A    192.168.0.3
 (and so on)
 example.com.       TXT  "v=spf1 ip4:192.168.0.0/24 -all"
 mail2.example.com. TXT  "v=spf1 ip4:192.168.0.2 -all"
 mail3.example.com. TXT  "v=spf1 ip4:192.168.0.3 -all"
 (and so on)


Host with name "example.com" is the only one authorized to say
"HELO example.com".  However, all other hosts on that network
should be authorized to say "MAIL 
FROM:<(_dot_)(_dot_)(_dot_)(_at_)example(_dot_)com>", that's
why the entire subnet is authorized to use domain name "example.com".

Host with name "mail2.example.com" is the only one authorized to
say "HELO mail2.example.com".  No other host needs to use this domain
name so that's why the SPF record for domain "mail2.example.com" only
needs to authorize IP address 192.168.0.2

Technically host "mail2.example.com" could get away with saying
"HELO example.com".  But that would be prevented by its sysadmin.

-------
Sender Policy Framework: http://www.openspf.org/
Archives at http://archives.listbox.com/spf-discuss/current/
To unsubscribe, change your address, or temporarily deactivate your 
subscription, 
please go to http://v2.listbox.com/member/?list_id=735