spf-discuss
[Top] [All Lists]

Re: [spf-discuss] SPF on HELO - take 2

2009-01-08 08:07:05
On Thu, 08 Jan 2009 13:46:54 +0100 Alessandro Vesely 
<vesely(_at_)tana(_dot_)it> wrote:
Don Lee wrote:
On that topic, when SPF is not available, I consider a HELO name
with an A/AAAA record that matches the connecting IP as good as an
SPF pass for reputation purposes.  SPF just lets the MTA admin be
more flexible with IP assignment for their MTAs.

This is actually not true.  SPF is quite a bit better than a match 
between
IP and fwd/reverse DNS.  The biggest reason is that SPF says explicitly
that the admin of the IP and domain authorize mail to be sent from that
IP.

However, as a domain admin, I cannot use SPF to specify that a given 
host is _not_ authorized to send mail. Assume I manage 192.0.2.2 and 
it corresponds to client.example.com. I think that host is likely to 
become possessed, but I cannot filter out its connections to port 25. 
So I try and explicitly authorize no hosts by publishing

   client.example.com IN TXT "v=spf1 -all"

Now, what if that host connects to some port 25 server out there and 
says any of the following:

   EHLO not.that.client.example.com
   EHLO [192.0.2.2]
   HELO HOWDY

My naive TXT record above won't play. The server will get an SPF 
result of "none", which it has better accept as it is plenty of MTAs 
with correct SPF records except for the HELO identity. Since it had no 
"pass", the server may verify DNS/rDNS: it will find the name doesn't 
match; however, 192.0.2.2 and client.example.com make a consistent 
pair and it accepts the connection. FWIW, the RFC says

| An SMTP server MAY verify that the domain name argument in the EHLO
| command actually corresponds to the IP address of the client.
| However, if the verification fails, the server MUST NOT refuse to
| accept a message on that basis.  Information captured in the
| verification attempt is for logging and tracing purposes.

Perhaps SPF on HELO would have been more effective if servers checked 
the name resulting from rDNS.


SPF only does what it does and isn't a panacea.  Typically in cases like 
this  not.that.client.example.com doesn't exist (no A record) or is another 
host (A points to another IP), so you can tell this is bogus before you 
even check SPF or rDNS.

Scott K


-------------------------------------------
Sender Policy Framework: http://www.openspf.org
Modify Your Subscription: http://www.listbox.com/member/
Archives: https://www.listbox.com/member/archive/735/=now
RSS Feed: https://www.listbox.com/member/archive/rss/735/
Powered by Listbox: http://www.listbox.com