On Thu, 14 Jan 2010, alan wrote:
but as never should the helo success/pass result be dependant on anything but
its ip my server name doesn't become a forgery just because an unexpected
envelope-sender appears on the email conversely a forgery of my server name
doesn't become legit because an envelope-senders SPF
A good point. Which leads back to receiver policy as to whether to reject
for either/both.
Rejecting on HELO fail has caused the most ire. One of my clients lost
a customer because that customer was sending mail with HELO fail,
and got mad when their email was rejected (used a CNAME):
mail.incompetent.com IN CNAME incompetent.com.
incompetent.com IN TXT "v=spf1 a mx -all"
incompetent.com IN A 1.2.3.4
And of course, the IP of the MTA using mail.incompetent.com is not 1.2.3.4 or
any of the mxes.
--
Stuart D. Gathman <stuart(_at_)bmsi(_dot_)com>
Business Management Systems Inc. Phone: 703 591-0911 Fax: 703 591-6154
"Confutatis maledictis, flammis acribus addictis" - background song for
a Microsoft sponsored "Where do you want to go from here?" commercial.
-------------------------------------------
Sender Policy Framework: http://www.openspf.org [http://www.openspf.org]
Modify Your Subscription: http://www.listbox.com/member/
[http://www.listbox.com/member/]
Archives: https://www.listbox.com/member/archive/735/=now
RSS Feed: https://www.listbox.com/member/archive/rss/735/
Powered by Listbox: http://www.listbox.com