spf-discuss
[Top] [All Lists]

Re: [spf-discuss] Resolving MFROM/HELO conflicts

2010-01-14 03:05:14
At 05:43 14/01/2010  Thursday, Stuart D. Gathman wrote:
On Thu, 14 Jan 2010, alan wrote:

but as never should the helo success/pass result be dependant on anything but
its ip my server name doesn't become a forgery just because an unexpected
envelope-sender appears on the email conversely a forgery of my server name
doesn't become legit because an envelope-senders SPF

A good point.  Which leads back to receiver policy as to whether to reject
for either/both.

well I'd advise recommending receivers test both separately with separate 
utilities or separate calls to the one utility

ie spf3test-client --helo $helo-id $connecting-ip
outputs pass/fail/none/permerror/temperr as errorlevel and suitable header on 
stdout

then later in the smtp transaction
test the mfrom with
spf3test-client --mfrom $mfrom-id $connecting-ip $helo-id

{at this stage the helo spf should not be consulted at all, it is there purely 
for use by the %{h} macro if used in the mfrom spf record}


Rejecting on HELO fail has caused the most ire.  One of my clients lost
a customer because that customer was sending mail with HELO fail,
and got mad when their email was rejected (used a CNAME):

mail.incompetent.com    IN CNAME incompetent.com.
incompetent.com         IN TXT "v=spf1 a mx -all"
incompetent.com         IN A  1.2.3.4

And of course, the IP of the MTA using mail.incompetent.com is not 1.2.3.4 or
any of the mxes.

well heloing as a cname would cause a fail before SPF checks even happen for 
most

as although the rfc's {stupidly IMNHO} don't demand that your helo properly 
points to your connecting ip
they do at least demand the helo has an A {not a cname} {unfortunatly any A 
will do}

{I personally only accept a helo that dosn't resolve to the ip connected if 
they have an SPF or CSV to validate that its non-forged}
any mis-configured senders usually appreciate the heads-up as to why their 
sending reputation is mud, and if they are multi homed and have a sloppy dns 
provider that cannot mount all their ips {some gui's only allow one ip per A} 
they just add an spf record for their helo to fix while shopping for a 
professional DNS hoster

my users though do often allow all kinds of helo sloppy ness {their email-their 
choice} but they do get each error/violation enumerated in the visible headers 
on each email {this has been enough embarrassment to have senders fix up their 
systems or contact me for help}

the fact that many are listed under X-AD-RPFS-DUMB-[0-3]: headers depending on 
level of stupidity http://www.alandoherty.net/mailsystem/mail-tagging/

but also i would say that a helo if cname shouldn't be followed by SPF clients 
they should give {permfail}
 as a helo having a cname would be a violation of RFC


-- 
             Stuart D. Gathman <stuart(_at_)bmsi(_dot_)com>
   Business Management Systems Inc.  Phone: 703 591-0911 Fax: 703 591-6154
"Confutatis maledictis, flammis acribus addictis" - background song for
a Microsoft sponsored "Where do you want to go from here?" commercial.


-------------------------------------------
Sender Policy Framework: http://www.openspf.org [http://www.openspf.org]
Modify Your Subscription: http://www.listbox.com/member/ 
[http://www.listbox.com/member/]

Archives: https://www.listbox.com/member/archive/735/=now
RSS Feed: https://www.listbox.com/member/archive/rss/735/
Powered by Listbox: http://www.listbox.com



-------------------------------------------
Sender Policy Framework: http://www.openspf.org [http://www.openspf.org]
Modify Your Subscription: http://www.listbox.com/member/ 
[http://www.listbox.com/member/]

Archives: https://www.listbox.com/member/archive/735/=now
RSS Feed: https://www.listbox.com/member/archive/rss/735/
Powered by Listbox: http://www.listbox.com