spf-discuss
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: Re[13]: [spf-discuss] Trying to understand the best recommendation for my client, help appreciated.

2009-05-13 22:10:48
from [Scott Kitterman] [Permanent Link] 
no other SPF checks are considered trusted if HELO/EHLO doesn't pass


RFC  4408  doesn't  state  that  "no  other  SPF checks are considered
trusted  if  HELO/EHLO  doesn't  pass."  Your  assertion  is instantly
falsified  by  testing  w/the  baked-to-order  pySPF  toolset  on  the
website.

When  using  the postmaster(_at_)HELO as a synthetic MAIL FROM, there is no
other  SPF check to run to be RFC compliant, so there can be no "chain
of trust." Checking both HELO-as-HELO and postmaster(_at_)HELO-as-MAIL-FROM
(which  will in most cases be redundant) is an option, but also hardly
a "chain of trust."

An  edge case in which a PASS on HELO (as opposed to NONE or any other
result  on  HELO)  might  be a constant prerequisite when sending to a
given  server  is  if  that  server  has  the  custom policy "if *any*
checkable  part  of  a given envelope has a published SPF record, then
*all*  checkable  parts  must  have  published  SPF  and PASS." Or, of
course,  a  policy  that  requires  PASS on HELO for every connection,
period. Such policies may be interesting, but beyond RFC.


This is basically correct.  The only connection between Mail From and HELO
checking is substitution of the HELO result if Mail From is null. 
Otherwise they are two separate inputs into local policy for
accepting/rejecting mail (RFC 4408 is essentially silent for receiver
policy).

As an example, in
http://www.openspf.org/Software#python-postfix-policyd-spf by default I
first check for HELO and if it has an SPF result of Fail/Softfail/Neutral
return a reject result.  I view failing a HELO check as an easy win for
early rejection of mail that's very unlikely to be desired.  Then Mail

From is checked and SPF Fail on Mail From is rejected.  The remaining

results are included in a header for post-SMTP processing (e.g. used by
Spamassassin).

So while I think your message is technically correct, I think the tone in
this thread continues to be unhelpful (not just you, but including you).

Scott K


-------------------------------------------
Sender Policy Framework: http://www.openspf.org
Modify Your Subscription: http://www.listbox.com/member/
Archives: https://www.listbox.com/member/archive/735/=now
RSS Feed: https://www.listbox.com/member/archive/rss/735/
Powered by Listbox: http://www.listbox.com
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re[13]: [spf-discuss] Trying to understand the best recommendation for my client, help appreciated., Sanford Whiteman
Next by Date:  Re[13]: [spf-discuss] Trying to understand the best recommendation for my client, help appreciated., alan
Previous by Thread:  Re[13]: [spf-discuss] Trying to understand the best recommendation for my client, help appreciated., Sanford Whiteman
Next by Thread:  Re[13]: [spf-discuss] Trying to understand the best recommendation for my client, help appreciated., alan
Indexes:  [Date] [Thread] [Top] [All Lists]