spf-discuss
[Top] [All Lists]

Re: [spf-discuss] Re: RFC 4408 Bug - Makes no sense to require Mail From check if HELO check FAILs

2007-02-06 01:34:37




On Tuesday, February 6, 2007 at 12:04:22 AM, Julian Mehnle wrote:
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Stuart D. Gathman wrote:
On Mon, 5 Feb 2007, Scott Kitterman wrote:
There is no benifit to checking MAIL FROM after a HELO fail if the
receiver policy is to reject on HELO FAIL.  I think that last sentence
would have been much better if it said:

I disagree. This is a receiver policy.

I concur with Stuart, disagreeing with Scott.  Mandating receiver policy is
prone stirring up a hornet's nest.  Even if receivers were to honor it,
it's incredibly difficult to get it about right for _everyone_.

In (very long) hindsight, I think that even strictly mandating the MAIL
FROM check was an error.  Receivers may have legitimate reasons for 
checking only the HELO.

| -At least the "MAIL FROM" identity MUST be checked, but it is
| -RECOMMENDED that the "HELO" identity also be checked beforehand.
| +Both the "HELO" and "MAIL FROM" identities SHOULD be checked.

It is perfectly possible that HELO fails and MAIL FROM passes.  MAIL FROM
should get priority in that case.

Maybe, maybe not.  It's a matter of perspective.

Scott Kitterman wrote:
If the receiver policy is to reject on HELO FAIL, then doing the MAIL
FROM check makes no sense, but RFC 4408 requires it.

Right.  That was probably a mistake made back in 2003.


I seem to recall exactly this issue being discussed a couple of years ago. The 
point was made then that SPF (as now represented by RFC 4408) is based on using 
MAIL_FROM as the primary test. HELO testing is involved only in some marginal 
situations.

Therefore, a receiver policy to require a HELO test before considering 
MAIL-FROM is not SPF, so there is no 'bug' in RFC 4408. This different receiver 
policy would need its own RFC.



Chris Haynes

-------
Sender Policy Framework: http://www.openspf.org/
Archives at http://archives.listbox.com/spf-discuss/current/
To unsubscribe, change your address, or temporarily deactivate your 
subscription, 
please go to http://v2.listbox.com/member/?list_id=735