spf-discuss
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: [spf-discuss] Re: How does one distinguish between authorizing MAIL FROM and HELO

2007-01-29 11:09:55
from [Alex van den Bogaerdt] [Permanent Link] 
On Mon, Jan 29, 2007 at 12:20:17PM -0500, John A. Martin wrote:


    Don> I believe that the HELO must be FQDN, but there is no
    Don> requirement that it match MAIL FROM.


Indeed.

A host with official name "mailsender.bigisp.example" MUST use
"HELO mailsender.bigisp.example" (or change HELO into EHLO).

This host can send mail for any maildomain, not just its own name.


As I understand what Alex pointed out, it is the IP originating the
TCP connection that must match the SPF identities.


Use of a domain name (whether in HELO or in MAIL FROM):
1) Look in DNS at "domain"
2) Fetch the SPF information (SPF record, or TXT record if no SPF record)
3) process the fetched information, left to right, and see where
   it matches the connected computer (the remote end)
4) Use the prefix from the mechanism that matched


Domain "example.com" SPF record "v=spf1 ip4:192.168.0.1 a mx -all"

Part 1:  "v=spf1"  this is SPF; else stop processing this information
Part 2:  "ip4:192.168.0.1"   See if the remote host is 192.168.0.1
Part 3: 
   step 1: Find domain "example.com"
   step 2: Use the A record(s) at this domain
   for each A record found:
      substep a: compare the IP address, similar to Part 2
Part 4:
   step 1: Find domain "example.com"
   step 2: Use the MX record(s) at this domain
   for each MX record found:
      substep a: get the domain in this MX record
      substep b: find this domain
      substep c: Use the A record(s) at this domain
      for each A record found:
         substep a: compare the IP address, similar to Part 2
Part 5:  "all" will allways match
Please note that "all" _is_ a match !


If part 2 matches, processing stops. Else:
If part 3 matches, processing stops. Else:
If part 4 matches, processing stops. Else:
Part 5 matches, so processing stops.

When a match occurs, the prefix for that match determines what to return.
 
Any mechanism ("ip4", "a", "mx" and so on) can have a prefix. If this
prefix is not there, an implicit "+" is present.
This is why "all" without prefix "-" isn't useful to most people. Unless
you're a spammer, you don't want to authorize all hosts.

I skipped explaining "ptr", "include", "ip6", and more.  If you're
interested, read the documentation and compare against this mail. It
should become more clear then.

Alex

-------
Sender Policy Framework: http://www.openspf.org/
Archives at http://archives.listbox.com/spf-discuss/current/
To unsubscribe, change your address, or temporarily deactivate your 
subscription, 
please go to http://v2.listbox.com/member/?list_id=735
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: [spf-discuss] Using SPF op=helo for HELO Authorization, David MacQuigg
Next by Date:  RE: [spf-discuss] SPF basics commentary, Stuart D. Gathman
Previous by Thread:  [spf-discuss] Re: How does one distinguish between authorizing MAIL FROM and HELO, John A. Martin
Next by Thread:  [spf-discuss] Re: How does one distinguish between authorizing MAIL FROM and HELO, John A. Martin
Indexes:  [Date] [Thread] [Top] [All Lists]