spf-discuss
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: [spf-discuss] SPF on HELO - take 2

2009-01-08 07:48:02
from [Alessandro Vesely] [Permanent Link] 
Don Lee wrote:

On that topic, when SPF is not available, I consider a HELO name
with an A/AAAA record that matches the connecting IP as good as an
SPF pass for reputation purposes.  SPF just lets the MTA admin be
more flexible with IP assignment for their MTAs.


This is actually not true.  SPF is quite a bit better than a match between
IP and fwd/reverse DNS.  The biggest reason is that SPF says explicitly
that the admin of the IP and domain authorize mail to be sent from that
IP.
However, as a domain admin, I cannot use SPF to specify that a given host is _not_ authorized to send mail. Assume I manage 192.0.2.2 and it corresponds to client.example.com. I think that host is likely to become possessed, but I cannot filter out its connections to port 25. So I try and explicitly authorize no hosts by publishing 

   client.example.com IN TXT "v=spf1 -all"
Now, what if that host connects to some port 25 server out there and says any of the following: 

   EHLO not.that.client.example.com
   EHLO [192.0.2.2]
   HELO HOWDY
My naive TXT record above won't play. The server will get an SPF result of "none", which it has better accept as it is plenty of MTAs with correct SPF records except for the HELO identity. Since it had no "pass", the server may verify DNS/rDNS: it will find the name doesn't match; however, 192.0.2.2 and client.example.com make a consistent pair and it accepts the connection. FWIW, the RFC says 

| An SMTP server MAY verify that the domain name argument in the EHLO
| command actually corresponds to the IP address of the client.
| However, if the verification fails, the server MUST NOT refuse to
| accept a message on that basis.  Information captured in the
| verification attempt is for logging and tracing purposes.
Perhaps SPF on HELO would have been more effective if servers checked the name resulting from rDNS. 


-------------------------------------------
Sender Policy Framework: http://www.openspf.org
Modify Your Subscription: http://www.listbox.com/member/
Archives: https://www.listbox.com/member/archive/735/=now
RSS Feed: https://www.listbox.com/member/archive/rss/735/
Powered by Listbox: http://www.listbox.com
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: [spf-discuss] SPF on HELO - take 2, Scott Kitterman
Next by Date:  Re: [spf-discuss] SPF on HELO - take 2, Scott Kitterman
Previous by Thread:  Re: [spf-discuss] SPF on HELO - take 2, Don Lee
Next by Thread:  Re: [spf-discuss] SPF on HELO - take 2, Scott Kitterman
Indexes:  [Date] [Thread] [Top] [All Lists]