At 05:43 14/01/2010 Thursday, Stuart D. Gathman wrote:
On Thu, 14 Jan 2010, alan wrote:
but as never should the helo success/pass result be dependant on anything but
its ip my server name doesn't become a forgery just because an unexpected
envelope-sender appears on the email conversely a forgery of my server name
doesn't become legit because an envelope-senders SPF
A good point. Which leads back to receiver policy as to whether to reject
for either/both.
well I'd advise recommending receivers test both separately with separate
utilities or separate calls to the one utility
ie spf3test-client --helo $helo-id $connecting-ip
outputs pass/fail/none/permerror/temperr as errorlevel and suitable header on
stdout
then later in the smtp transaction
test the mfrom with
spf3test-client --mfrom $mfrom-id $connecting-ip $helo-id
{at this stage the helo spf should not be consulted at all, it is there purely
for use by the %{h} macro if used in the mfrom spf record}
Rejecting on HELO fail has caused the most ire. One of my clients lost
a customer because that customer was sending mail with HELO fail,
and got mad when their email was rejected (used a CNAME):
mail.incompetent.com IN CNAME incompetent.com.
incompetent.com IN TXT "v=spf1 a mx -all"
incompetent.com IN A 1.2.3.4
And of course, the IP of the MTA using mail.incompetent.com is not 1.2.3.4 or
any of the mxes.
well heloing as a cname would cause a fail before SPF checks even happen for
most
as although the rfc's {stupidly IMNHO} don't demand that your helo properly
points to your connecting ip
they do at least demand the helo has an A {not a cname} {unfortunatly any A
will do}
{I personally only accept a helo that dosn't resolve to the ip connected if
they have an SPF or CSV to validate that its non-forged}
any mis-configured senders usually appreciate the heads-up as to why their
sending reputation is mud, and if they are multi homed and have a sloppy dns
provider that cannot mount all their ips {some gui's only allow one ip per A}
they just add an spf record for their helo to fix while shopping for a
professional DNS hoster
my users though do often allow all kinds of helo sloppy ness {their email-their
choice} but they do get each error/violation enumerated in the visible headers
on each email {this has been enough embarrassment to have senders fix up their
systems or contact me for help}
the fact that many are listed under X-AD-RPFS-DUMB-[0-3]: headers depending on
level of stupidity http://www.alandoherty.net/mailsystem/mail-tagging/
but also i would say that a helo if cname shouldn't be followed by SPF clients
they should give {permfail}
as a helo having a cname would be a violation of RFC
--
Stuart D. Gathman <stuart(_at_)bmsi(_dot_)com>
Business Management Systems Inc. Phone: 703 591-0911 Fax: 703 591-6154
"Confutatis maledictis, flammis acribus addictis" - background song for
a Microsoft sponsored "Where do you want to go from here?" commercial.
-------------------------------------------
Sender Policy Framework: http://www.openspf.org [http://www.openspf.org]
Modify Your Subscription: http://www.listbox.com/member/
[http://www.listbox.com/member/]
Archives: https://www.listbox.com/member/archive/735/=now
RSS Feed: https://www.listbox.com/member/archive/rss/735/
Powered by Listbox: http://www.listbox.com
-------------------------------------------
Sender Policy Framework: http://www.openspf.org [http://www.openspf.org]
Modify Your Subscription: http://www.listbox.com/member/
[http://www.listbox.com/member/]
Archives: https://www.listbox.com/member/archive/735/=now
RSS Feed: https://www.listbox.com/member/archive/rss/735/
Powered by Listbox: http://www.listbox.com