On Tuesday 06 February 2007 03:33, Chris Haynes wrote:
On Tuesday, February 6, 2007 at 12:04:22 AM, Julian Mehnle wrote:
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Stuart D. Gathman wrote:
On Mon, 5 Feb 2007, Scott Kitterman wrote:
There is no benifit to checking MAIL FROM after a HELO fail if the
receiver policy is to reject on HELO FAIL. I think that last sentence
would have been much better if it said:
I disagree. This is a receiver policy.
I concur with Stuart, disagreeing with Scott. Mandating receiver policy
is prone stirring up a hornet's nest. Even if receivers were to honor
it, it's incredibly difficult to get it about right for _everyone_.
In (very long) hindsight, I think that even strictly mandating the MAIL
FROM check was an error. Receivers may have legitimate reasons for
checking only the HELO.
| -At least the "MAIL FROM" identity MUST be checked, but it is
| -RECOMMENDED that the "HELO" identity also be checked beforehand.
| +Both the "HELO" and "MAIL FROM" identities SHOULD be checked.
It is perfectly possible that HELO fails and MAIL FROM passes. MAIL
FROM should get priority in that case.
Maybe, maybe not. It's a matter of perspective.
Scott Kitterman wrote:
If the receiver policy is to reject on HELO FAIL, then doing the MAIL
FROM check makes no sense, but RFC 4408 requires it.
Right. That was probably a mistake made back in 2003.
I seem to recall exactly this issue being discussed a couple of years ago.
The point was made then that SPF (as now represented by RFC 4408) is based
on using MAIL_FROM as the primary test. HELO testing is involved only in
some marginal situations.
That is not the case in RFC 4408. It was true in most of the pre-IETF drafts
that HELO checking was on in case of a null Mail From. In RFC 4408 HELO
checking is RECOMMENDED to be done before Mail From and on a full time basis.
Therefore, a receiver policy to require a HELO test before considering
MAIL-FROM is not SPF, so there is no 'bug' in RFC 4408. This different
receiver policy would need its own RFC.
Not at all. RFC 4408 recommends HELO check before Mail From check. The issue
is that as written RFC 4408 reqiures that I do the Mail From check, but not
that I do anything with it. If (based on my receiver policy which is outside
the scope of RFC 4408 in virtually all cases) I've made a definitive decision
to accept/reject the message based on the HELO result, I'm still required to
burn CPU, bandwidth, and DNS resolver time to do a Mail From check whose
result I will ignore. Makes no sense.
I don't really care about the exact language we use to fix it, but I think
it's definitely a bug. It's a concept that was not fully re-examined in
light of the decision to to swtich from null Mail From HELO checking to full
time HELO checking.
Scott K
-------
Sender Policy Framework: http://www.openspf.org/
Archives at http://archives.listbox.com/spf-discuss/current/
To unsubscribe, change your address, or temporarily deactivate your
subscription,
please go to http://v2.listbox.com/member/?list_id=735