On Thursday 08 January 2009 09:42, Alessandro Vesely wrote:
Scott Kitterman wrote:
On Thu, 08 Jan 2009 13:46:54 +0100 Alessandro Vesely
<vesely(_at_)tana(_dot_)it>
wrote:
Perhaps SPF on HELO would have been more effective if servers checked
the name resulting from rDNS.
SPF only does what it does and isn't a panacea.
Yup, it blocks senders, not hosts. Possibly, someone on this list
recalls how come RFC 4408 recommends checking the HELO identity as well...
It started out as a fallback for what to do for null sender (Mail From <>)
messages, but proved to have general utility.
OK. Maybe this is not quite baked yet.
What is the precise algorithm for checking SPF on HELO?
It seems to me that the HELO name is required to determine what domain
is taking responsibility for the mail being sent.
(Pardon the pseudo-code)
sender_IP /* actual IP of connecting MTA */
sender_HELO /* HELO offered by conneting MTA */
sender_HELO_IP /* IP of sender according to lookup of HELO name (unused?) */
sender_SPF_IP_list /* Listed IP addresses for HELO name, per SPF recs */
if (sender_HELO_IP != valid_A_rec) return(fail);
if (SPF(sender_HELO) == none) return(none);
if (sender_IP is_contained_in_list( sender_SPF_IP_list)) return (pass);
return (fail);
Note that the sender_HELO_IP is not used. One could also check to see that
sender_IP and sender_HELO_IP are the same. (they should be, but...)
Note also that the FUD surrounding -all ?all ~all is not relevant
here. If the IP being used to send mail from the SPF listed domain is
not explicitly listed, the check fails.
Would this algorithm be sufficient?
The idea is that an MTA that gets a <fail> would have all its mail rejected.
I currently do this, with no problems, but I do it "by hand".
I have a question from someone this morning about doing this. He says
that:
The problem is there are *almost zero* SPF records published for HELO names.
To be effective, there should be one record for every outgoing Border MTA, and
the record should end in -all. How do we motivate senders to do this?
This brings up another point that needs to be resolved: is there any difference
between SPF records "for HELO checking" and "for MAIL FROM" checking?
I think not. (I will invite this gentleman to join this mail list BTW)
-dgl-
-------------------------------------------
Sender Policy Framework: http://www.openspf.org
Modify Your Subscription: http://www.listbox.com/member/
Archives: https://www.listbox.com/member/archive/735/=now
RSS Feed: https://www.listbox.com/member/archive/rss/735/
Powered by Listbox: http://www.listbox.com