----- Original Message -----
From: "Stuart D. Gathman" <stuart(_at_)bmsi(_dot_)com>
To: <spf-discuss(_at_)v2(_dot_)listbox(_dot_)com>
Sent: Monday, July 13, 2009 6:34 PM
Subject: Re: [spf-discuss] Feature request for SPFv3
On Sat, 11 Jul 2009, Alex van den Bogaerdt wrote:
> In my "best-guess" algorithm, a validated HELO (that resolves to the
> connect ip)
> is added to the collection of validated PTR records for the PTR
> mechanism.
>
> I propose to make this a MUST behaviour for spfv3.
It seems a newline is needed here. Your next line talks about HELO which
cannot be validated.
HELO is "validated" in the same way a PTR record is - by checking for
a match with connect ip.
My point is: either DNS is setup correctly, PTR records are setup, or it
isn't. "... find it difficult to get their ISP to maintain PTR records."
seems to indicate that DNS is not setup correctly.
Anyway, this does not seem to be important, read on.
> While SPF macros can select the rightmost parts of HELO,
Why would one do this?
To match it to the mail domain like with the SPF ptr mechanism.
???
AFAIK the ptr mechanism does not tie helo to the mail domain.
> and it is
> possible for SPF to verify that HELO matches the connect ip (somewhat
> kludgily),
Am I missing something? You seem to be describing the following:
[deleted by stuart: v=spf a -all]
You are missing something. Think of HELO as a PTR record that is
supplied via SMTP instead of a DNS lookup.
Verifying that the connected IP and the HELO parameter match, is done using
the "a" mechanism.
Even if the DNS in-addr.arpa entry points to that bigisp, which then points
back to the IP address, "v=spf1 a -all" will still validate an HELO
parameter like "smtp-out.example.com".
> I haven't hit on a way to check that the rightmost parts
> of HELO match the MAILFROM domain using spfv1.
The ptr mechanism, which should be abandoned IMHO, does this. But indeed
that needs a properly setup DNS. It seems that you propose something like
"heloptr" which would use the HELO parameter instead of what is found in
the
in-addr.arpa part of the DNS tree. Those who are unable or unwilling to
setup DNS correctly, won't understand that "heloptr" would also match
dyn-10-1-2-3.customer.example.com. This may or may not be harmful, but is
probably not what was intended.
It is what was intended. When example.com contracts with bigisp.com to
provide a dsl account with a small static IP block (typically /29), the
problem
is that bigisp.com is typically unable to reliably provide PTR records
chosen by example.com[*]. However, the PTR record they do chose will
be something like 'dyn-10-1-2-3.bigisp.com', *not*
'dyn-10-1-2-3.example.com',
(never mind that the contract is for static ips).
I chose "example.com" because of RFC 2606. Anyway...
Why would dyn-10-1-2-4.bigisp.com need to be authorized?
(notice: 4, not 3)
After all, if you're going to take the rightmost part of the HELO string,
both end in bigisp.com or in example.com, whatever it is you're trying to
tell us ...
I may not be the smartest one on this list but I'm not stupid and I don't
understand what you're trying to do. Perhaps you should write an example
smtp dialog, including some remarks where and why your "heloptr" would make
a difference, to make clear what you want. Thanks.
-------------------------------------------
Sender Policy Framework: http://www.openspf.org
Modify Your Subscription: http://www.listbox.com/member/
Archives: https://www.listbox.com/member/archive/735/=now
RSS Feed: https://www.listbox.com/member/archive/rss/735/
Powered by Listbox: http://www.listbox.com