Julian Mehnle wrote on Sunday, Jan 28, 2007 8:03AM -0600:
Seth Goodman wrote:
Don Lee wrote on Saturday, January 27, 2007 11:05 AM -0600:
HELO checking is a good example. I think there is consensus that
this is safe and effective, and can be deployed immediately
everywhere without pain.
That's not exactly true. There are still a large number of MTA's
with improperly configured HELO names. What is safe is to reject
for the HELO name being _your_ domain. If the HELO name is not
yours, you are asking for trouble if you reject on that alone. In
combination with other tests, checking HELO may help you to
generate SPF pass where you otherwise wouldn't, and that's probably
where it's most useful at present.
Not true. An invalid HELO name will lead to SPF=None, so SPF wouldn't
cause a rejection anyway. If SPF(HELO)=Fail/SoftFail, then the HELO
name couldn't have been "improperly configured". Ergo, HELO checking
is safe.
You make a good point: invalid hostnames result in NONE while only
valid hostnames that resolve to non-designated IP's produce FAIL or
SOFTFAIL. I remove my objection and thank you for pointing out the
fallacy.
I wish we could ignore forwarding, but everybody recognized it was a
serious problem for SPF from the get-go and not much has changed
since.
While most of the SPF community may have recognized alias-forwarding
breakage a serious problem of SPF _in_the_beginning_, I see an
increasing number of SPF proponents starting to consider it an
inherent consequence of SPF, and not something that can (or should)
somehow be mitigated.
Some people apparently do think that, but I suggest that will lead only
to frustration with no concrete results. This unfortunate practice is
embedded too deeply to go away, IMHO. If most people were generally
behind the idea that SPF was the best solution to trivial domain
forgery, as most of us here think, that idea might have a chance. The
debacle at MARID and subsequent work on DK showed this is not the case,
and I think it unlikely to change. I'm for anything that will reduce
alias forwarding as it's currently used, I just don't believe that
eliminating it is a realistic goal.
--
Seth Goodman
-------
Sender Policy Framework: http://www.openspf.org/
Archives at http://archives.listbox.com/spf-discuss/current/
To unsubscribe, change your address, or temporarily deactivate your
subscription,
please go to http://v2.listbox.com/member/?list_id=735