spf-discuss
[Top] [All Lists]

RE: [spf-discuss] Using SPF op=helo for HELO Authorization

2007-01-29 14:50:40
David MacQuigg wrote on Monday, January 29, 2007 1:37 PM -0600:

At 01:16 PM 1/29/2007 -0500, Stuart D. Gathman wrote:

On Mon, 29 Jan 2007, David MacQuigg wrote:

functionality as CSV, requiring an authentication record for each
and every host, which we can't expect domain owners to do.

You need an authentication record for each and every name you
want to authenticate with SPF, HELO or otherwise.

So if we want just one record for rr.com, we will need to convince
them to say HELO rr.com and not include the complete hostname, in
violation of RFC compliance.

I could be misunderstanding something basic about what you want to do,
but I don't think rr.com needs to do anything special.  SPF works by
matching IP's, not hostnames.  Here's the description of check_host()
from RFC4408:

|4.1.  Arguments
|
|   The check_host() function takes these arguments:
|
|   <ip>     - the IP address of the SMTP client that is emitting the
|              mail, either IPv4 or IPv6.
|
|   <domain> - the domain that provides the sought-after authorization
|              information; initially, the domain portion of the "MAIL
|              FROM" or "HELO" identity.
|
|   <sender> - the "MAIL FROM" or "HELO" identity.
|
|   The domain portion of <sender> will usually be the same as the
|   <domain> argument when check_host() is initially evaluated.
However,
|   this will generally not be true for recursive evaluations (see
|   Section 5.2 below).

When applied to a HELO FQDN, the recipient must extract the domain from
the FQDN to pass on to check_host() regardless.  Check_host() needs the
domain to fetch the SPF record, so this is not optional.  The HELO FQDN
itself must resolve to an IP designated by the SPF record, but the HELO
name itself does not have to be listed.  If a domain bothers to publish
SPF, the IP's of all it's outbound mail hosts should already be listed.
As long as a host uses a HELO name that resolves to one of the listed
IP's and connects from one of those IP's, the SPF result for HELO will
be pass.  Here's an example of a domain where the owner designates two
outbound mail hosts.

example.com.  A     1.2.3.4
www           CNAME example.com.
ftp           CNAME example.com.
asterisk      A     1.2.3.5
inbound1      A     1.2.3.6
inbound2      A     1.2.3.7
outbound1     CNAME inbound1.example.com.
outbound2     CNAME inbound2.example.com.
              MX    5 inbound1.example.com.
              MX    9 inbound2.example.com.
              TXT   "v=spf1 a:outbound1.example.com
a:outbound2.example.com -all"

This SPF record will result in:

PASS for the following HELO names from IP 1.2.3.6 or 1.2.3.7:

   outbound1.example.com
   outbound2.example.com
   inbound1.example.com
   inbound2.example.com

FAIL for the following HELO names from any IP:

   example.com
   www.example.com
   ftp.example.com
   asterisk.example.com

NONE for any other HELO name ending in .example.com from any IP.


What this shows is that even though example.com listed only two
hostnames in their SPF record, any other hostname from that domain that
resolves to either of the designated IP's will also pass SPF as a HELO
name.


There is less flexibility in this than hostname(_at_)domain, but for our

That is a mailbox address, not a hostname.  The FQDN for a host is
normally in the form host.example.com, but the only requirement is that
it resolves to an IP.

--
Seth Goodman

-------
Sender Policy Framework: http://www.openspf.org/
Archives at http://archives.listbox.com/spf-discuss/current/
To unsubscribe, change your address, or temporarily deactivate your 
subscription, 
please go to http://v2.listbox.com/member/?list_id=735

<Prev in Thread] Current Thread [Next in Thread>