On Mon, Jan 29, 2007 at 03:46:52PM -0600, Seth Goodman wrote:
When applied to a HELO FQDN, the recipient must extract the domain from
the FQDN to pass on to check_host() regardless. Check_host() needs the
domain to fetch the SPF record, so this is not optional. The HELO FQDN
itself must resolve to an IP designated by the SPF record, but the HELO
name itself does not have to be listed.
Ugh...
You seem to lack basic understanding of the difference between zone
and domain.
Assuming everything ending in example.com is under the same management:
mailhost01.westcoast.example.com. ***IS*** a domain, in zone example.com.
The domain given to check_host ***IS*** mailhost01.westcoast.example.com.
and certainly not "example.com".
SPF, the IP's of all it's outbound mail hosts should already be listed.
As long as a host uses a HELO name that resolves to one of the listed
IP's and connects from one of those IP's, the SPF result for HELO will
be pass. Here's an example of a domain where the owner designates two
outbound mail hosts.
example.com. A 1.2.3.4
www CNAME example.com.
ftp CNAME example.com.
asterisk A 1.2.3.5
inbound1 A 1.2.3.6
inbound2 A 1.2.3.7
outbound1 CNAME inbound1.example.com.
outbound2 CNAME inbound2.example.com.
MX 5 inbound1.example.com.
MX 9 inbound2.example.com.
TXT "v=spf1 a:outbound1.example.com
a:outbound2.example.com -all"
Ugly. Please do not follow this example. List only hosts
that are "A", not "CNAME", in your SPF records.
A(inbound1.example.com) directly results in 1.2.3.6
A(outbound1.example.com) needs an extra lookup, via CNAME.
This SPF record will result in:
PASS for the following HELO names from IP 1.2.3.6 or 1.2.3.7:
outbound1.example.com
This is not a valid principal hostname, and must not be used for HELO.
See RFC 2821 section 4.1.4
Additionally, you got it backwards. If you "HELO outbound1.example.com"
then SPF would look at SPF record at "outbound1.example.com", not at the
SPF record listed at "example.com"
outbound2.example.com
Same, and same.
inbound1.example.com
inbound2.example.com
FAIL for the following HELO names from any IP:
example.com
true
www.example.com
false
ftp.example.com
false
asterisk.example.com
false
NONE for any other HELO name ending in .example.com from any IP.
If above zone file is complete: true. Else false.
What this shows is that even though example.com listed only two
hostnames in their SPF record, any other hostname from that domain that
resolves to either of the designated IP's will also pass SPF as a HELO
name.
FUD.
There is less flexibility in this than hostname(_at_)domain, but for our
That is a mailbox address, not a hostname. The FQDN for a host is
normally in the form host.example.com, but the only requirement is that
it resolves to an IP.
False.
Alex
-------
Sender Policy Framework: http://www.openspf.org/
Archives at http://archives.listbox.com/spf-discuss/current/
To unsubscribe, change your address, or temporarily deactivate your
subscription,
please go to http://v2.listbox.com/member/?list_id=735