spf-discuss
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: [spf-discuss] Using SPF op=helo for HELO Authorization

2007-01-29 11:07:01
from [David MacQuigg] [Permanent Link] 
At 02:22 PM 1/27/2007 -0500, Stuart D. Gathman wrote:


There is already an op=helo draft standard.  Other standard options
in the draft are:

op=pra  "it is ok to use this SPF record for PRA checking"
op=nohelo       "do not check HELO for this SPF record"
op=helo "reject this domain in HELO unless SPF gets PASS"
op=auth "We've taken steps to prevent cross customer forgery
                for SPF PASS"
OK, I found the draft (draft-ellermann-spf-options-01). Doesn't look like op=helo will do what we need, however. Section 3.2 of the draft refers to "the FQDN given in a HELO command", and I assume this means the complete hostname, not just the domain name which we are using as the transmitter's ID. If I understand it correctly, this option offers basically the same functionality as CSV, requiring an authentication record for each and every host, which we can't expect domain owners to do.
We need a way to generate a complete list of authorized HELO addresses by "compiling" an SPF record. We can't ignore ?all, ptr mechanisms, %{macros}, and other stuff that prevent such a compilation unless there is some signal from the domain owner stating that this is his intent.
So as things stand now, and if my understanding of op=helo is correct, we will keep the "helo=spf" option in our _auth records, as a convenience for domain owners who publish SPF records and want us to use the same set of addresses in their Registry record. I'm working now on a webtool that will allow domain owners to experiment with their SPF records and see if they compile as expected. See http://open-mail.org/webtool.html As always, suggestions are welcome.
Again, Registry records are not intended to "compete" with SPF records. Where there is overlap in the information provided, we will try to follow the design principle that it is best to keep information in one place only, both for convenience, and to avoid "synchronization" problems when that information is updated in one place but not the other. "helo=spf" is not an "ad-hoc" addition to our records, but part of what I hope is a simple, well-planned syntax. Typical _auth records look like: 

_auth.example.com.  TXT  "helo=mx,a"
_auth.example.com. TXT "service=S1,H2 method=CSV,SPF,SID,DK helo=SPF,216.183.71.48/30"
In the first record, we assume that the domain owner doesn't use SPF, or perhaps prefers that we ignore his SPF record in the HELO check. In the second record, we assume the /30 block is for some reason *not* listed in the SPF record for the domain, so the domain owner added it here. 

See http://open-mail.org/files/Records.html for more detail.

-- Dave


-------
Sender Policy Framework: http://www.openspf.org/
Archives at http://archives.listbox.com/spf-discuss/current/
To unsubscribe, change your address, or temporarily deactivate your subscription, please go to http://v2.listbox.com/member/?list_id=735
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: [spf-discuss] SPF basics commentary, Terry Fielder
Next by Date:  Re: [spf-discuss] Re: How does one distinguish between authorizing MAIL FROM and HELO, Alex van den Bogaerdt
Previous by Thread:  Re: Question: [spf-discuss] Re: SPF basics commentary, David MacQuigg
Next by Thread:  Re: [spf-discuss] Using SPF op=helo for HELO Authorization, Stuart D. Gathman
Indexes:  [Date] [Thread] [Top] [All Lists]