Login | Register For Free | Help
Search for: (Advanced)

Mailing List Archive: SPF: Discuss

SPF on HELO

 

 

First page Previous page 1 2 3 Next page Last page  View All SPF discuss RSS feed   Index | Next | Previous | View Threaded


vesely at tana

Jan 9, 2009, 7:33 AM

Post #26 of 53 (4565 views)
Permalink
Re: SPF on HELO - take 2 [In reply to]

Stuart D. Gathman wrote:
> On Thu, 8 Jan 2009, Alessandro Vesely wrote:
>
>> Setting a matching HELO name may be cumbersome when using NAT, multihomed
>> hosts, VPNs, and the like. IMHO, checking the domain name should suffice.
>
> Multihomed hosts just need to use a HELO that matches the IP they
> are sending mail on. Using a single HELO name with multiple A records
> that matches *all* their IPs works too if the sending IP is selected
> randomly. NAT and VPN are irrelevant. Just set HELO to something that matches
> whatever you are natted to - just like multi-homed.

However, if one happens to mix all those, e.g. NATting a pool of
addresses to some multihomed hosts through a VPN, it may well be hard
to configure the helo name properly :-/

> I don't *require* PTR. HELO works just as well as rDNS (better and cheaper).
> But I'll take a valid PTR in place of a bogus HELO to establish MTA
> identity. I don't like MTAs that require rDNS/PTR, because the vast majority
> of MTAs for small domains do not have a 256 block of IPs, and have to
> beg and plead with their ISP for weeks to get rDNS configured properly.

In other words, you accept an SPF "pass" on HELO to skip further
[FC]rDNS checks. Very reasonable. Courier-MTA, for one, defaults to
that behavior when SPF checks are enabled.


-------------------------------------------
Sender Policy Framework: http://www.openspf.org
Modify Your Subscription: http://www.listbox.com/member/
Archives: https://www.listbox.com/member/archive/735/=now
RSS Feed: https://www.listbox.com/member/archive/rss/735/
Powered by Listbox: http://www.listbox.com


dmquigg-spf at yahoo

Jan 9, 2009, 8:43 AM

Post #27 of 53 (4577 views)
Permalink
Re: SPF on HELO - take 2 [In reply to]

At 04:04 PM 1/9/2009 +0100, Alessandro Vesely wrote:
>Don Lee wrote:
>>>CSV and David's _auth mechanisms do that check with much less effort and more reliability than SPF --those mechanisms provide for denying an IP to send mail for a given domain.
>>Can you explain? What is "CSV and David's _auth"?
>
>Two methods designed for establishing who is authorized to relay mail in a hierarchically authoritative fashion, i.e. using DNS "properly" (as opposed to DNSBL non-hierarchical scheme.)
>
>For more info, see
>http://en.wikipedia.org/wiki/Certified_Server_Validation
>http://open-mail.org/Registry.html

_auth is not a method. It is the name of the DNS TXT record a domain owner can publish to assert control of his Registry record. As much as I would like to invent yet another authentication method, I have resisted that temptation. We use PTR, SPF, and CSV. DKIM is coming soon.

-- Dave





-------------------------------------------
Sender Policy Framework: http://www.openspf.org
Modify Your Subscription: http://www.listbox.com/member/
Archives: https://www.listbox.com/member/archive/735/=now
RSS Feed: https://www.listbox.com/member/archive/rss/735/
Powered by Listbox: http://www.listbox.com


scott at kitterman

Jan 9, 2009, 9:39 AM

Post #28 of 53 (4555 views)
Permalink
Re: SPF on HELO - take 2 [In reply to]

On Thursday 08 January 2009 13:17, Don Lee wrote:
> >On Thursday 08 January 2009 09:42, Alessandro Vesely wrote:
> >> Scott Kitterman wrote:
> >> > On Thu, 08 Jan 2009 13:46:54 +0100 Alessandro Vesely <vesely [at] tana>
> >
> >wrote:
> >> >>Perhaps SPF on HELO would have been more effective if servers checked
> >> >>the name resulting from rDNS.
> >> >
> >> > SPF only does what it does and isn't a panacea.
> >>
> >> Yup, it blocks senders, not hosts. Possibly, someone on this list
> >> recalls how come RFC 4408 recommends checking the HELO identity as
> >> well...
> >
> >It started out as a fallback for what to do for null sender (Mail From <>)
> >messages, but proved to have general utility.
>
> OK. Maybe this is not quite baked yet.
>
> What is the precise algorithm for checking SPF on HELO?
>
> It seems to me that the HELO name is required to determine what domain
> is taking responsibility for the mail being sent.
>
> (Pardon the pseudo-code)
>
> sender_IP /* actual IP of connecting MTA */
> sender_HELO /* HELO offered by conneting MTA */
> sender_HELO_IP /* IP of sender according to lookup of HELO name (unused?)
> */ sender_SPF_IP_list /* Listed IP addresses for HELO name, per SPF recs */
>
> if (sender_HELO_IP != valid_A_rec) return(fail);
Note: This is outside the scope of SPF, but yes. I'd check this first, but
I'm not sure I understand your notation. What I was trying to say is lookup
any A records associated with sender_HELO. If there are none or none of them
(which I think is sender_HELO_IP ) are sender_IP then return(fail).

> if (SPF(sender_HELO) == none) return(none);
If you're going to do rDNS checks, then that'd come before return(none).

> if (sender_IP is_contained_in_list( sender_SPF_IP_list)) return (pass);
> return (fail);
>
> Note that the sender_HELO_IP is not used. One could also check to see that
> sender_IP and sender_HELO_IP are the same. (they should be, but...)

I think that is what one checks if I'm understanding you.

> Note also that the FUD surrounding -all ?all ~all is not relevant
> here. If the IP being used to send mail from the SPF listed domain is
> not explicitly listed, the check fails.
>
> Would this algorithm be sufficient?

Roughly.

> The idea is that an MTA that gets a <fail> would have all its mail
> rejected. I currently do this, with no problems, but I do it "by hand".

Yes.

>
> I have a question from someone this morning about doing this. He says
>
> that:
> >The problem is there are *almost zero* SPF records published for HELO
> > names. To be effective, there should be one record for every outgoing
> > Border MTA, and the record should end in -all. How do we motivate
> > senders to do this?
>
> This brings up another point that needs to be resolved: is there any
> difference between SPF records "for HELO checking" and "for MAIL FROM"
> checking? I think not. (I will invite this gentleman to join this mail list
> BTW)

We don't 'make' senders do anything, of course. It's been a while since I
looked for it, but IIRC it has at times (and may be now - I'm too lazy to
look) common for spammers to forge the same domain in Mail From and HELO.

So if you take a domain that has an SPF record that ends in ?all or ~all, like
(for example) hotmail.com (I pick this because I recall this one being common
when I looked a while ago) a forged use of hotmail.com in Mail From and HELO
gets a Softfail result. For Mail From, you really can't (shouldn't) take a
definitive action during the SMTP transaction. The best you can do is tag it
as Softfail and let that go into the mix of factors used in your post-SMTP
filtering. HELO is a different story. You can, quite safely, take that same
Softfail and reject based on HELO not being Pass/None. So even if no one
explicitly published a record for HELO there are cases where it's a win.

I also run the SPF project's email test reflector (See 'E-mail based record
testers' in http://www.openspf.org/Tools ). I have a simple script I
sometimes run against my mail logs to see how people are doing. It's a very
simple script, so it doesn't check to see if there are multiple identical
results (and there always are - I don't know why people do the same check
over and over, but they do) so with an appropriate grain of salt here's the
most recent one day results:

Total tests sent - 89

Mail From Pass - 34
Mail From None - 39
Mail From Fail - 6
Mail From Softfail - 4
Mail From Neutral - 3
Mail From Temperror - 0
Mail From Permerror - 3

HELO Pass - 12
HELO Fail - 4
HELO None - 71
HELO Softfail - 1
HELO Neutral - 0
HELO Temperror - 0
HELO Permerror - 1

This is consistent with my general experience, fewer people publish records
for HELO than Mail From, but it's not "almost zero".

My bottom line is that I agree HELO checking and SPF could use more attention
and evangelism, but it's a lot cost, low risk easy win. Even if it doesn't
help a lot, it doesn't hurt a bit, so just do it.

Scott K


-------------------------------------------
Sender Policy Framework: http://www.openspf.org
Modify Your Subscription: http://www.listbox.com/member/
Archives: https://www.listbox.com/member/archive/735/=now
RSS Feed: https://www.listbox.com/member/archive/rss/735/
Powered by Listbox: http://www.listbox.com


spfdiscuss at caution

Jan 9, 2009, 10:01 AM

Post #29 of 53 (4565 views)
Permalink
Re: SPF on HELO - take 2 [In reply to]

Scott K wrote:
>This is consistent with my general experience, fewer people publish records
>for HELO than Mail From, but it's not "almost zero".
>
>My bottom line is that I agree HELO checking and SPF could use more attention
>and evangelism, but it's a lot cost, low risk easy win. Even if it doesn't
>help a lot, it doesn't hurt a bit, so just do it.

I agree. I want to ensure that there are no holes in the logic and
then push the evangelism.

Are there any cases where the SPF records that were "intended" for MAIL FROM
would be misleading or otherwise harmful if used for HELO? My conclusion
is that there are no problems here. All SPF records published should be
usable to safely vet MTA connections as outlined in this thread.
I can not think of any cases where an SPF record intended to allow
a MAIL FROM domain of XXX would exclude XXX in HELO checking.

(The only case I can think of is where the admin depends on softfail, and
deliberately uses an MTA that is not in the explicit IP list.
That would be a really dumb thing to do, but......)

If this is correct, it would be good to add a few words in the "marketing
literature" to say so.

-dgl-


-------------------------------------------
Sender Policy Framework: http://www.openspf.org
Modify Your Subscription: http://www.listbox.com/member/
Archives: https://www.listbox.com/member/archive/735/=now
RSS Feed: https://www.listbox.com/member/archive/rss/735/
Powered by Listbox: http://www.listbox.com


scott at kitterman

Jan 9, 2009, 10:28 AM

Post #30 of 53 (4565 views)
Permalink
Re: SPF on HELO - take 2 [In reply to]

On Friday 09 January 2009 13:01, Don Lee wrote:
> Scott K wrote:
> >This is consistent with my general experience, fewer people publish
> > records for HELO than Mail From, but it's not "almost zero".
> >
> >My bottom line is that I agree HELO checking and SPF could use more
> > attention and evangelism, but it's a lot cost, low risk easy win. Even
> > if it doesn't help a lot, it doesn't hurt a bit, so just do it.
>
> I agree. I want to ensure that there are no holes in the logic and
> then push the evangelism.
>
> Are there any cases where the SPF records that were "intended" for MAIL
> FROM would be misleading or otherwise harmful if used for HELO? My
> conclusion is that there are no problems here. All SPF records published
> should be usable to safely vet MTA connections as outlined in this thread.
> I can not think of any cases where an SPF record intended to allow
> a MAIL FROM domain of XXX would exclude XXX in HELO checking.

AFAIK, no. There are people that will argue layer violations, but I'm
completely unaware of any real situations where it would be problematic.

> (The only case I can think of is where the admin depends on softfail, and
> deliberately uses an MTA that is not in the explicit IP list.
> That would be a really dumb thing to do, but......)
>
> If this is correct, it would be good to add a few words in the "marketing
> literature" to say so.
>

I believe it's correct.

I'm all in favor of better marketing literature, but lack the time to write
it. Patches gratefully accepted.

If you (or anyone) has suggestions on how better to describe this on the
openspf.org web site, please send text.

Scott K


-------------------------------------------
Sender Policy Framework: http://www.openspf.org
Modify Your Subscription: http://www.listbox.com/member/
Archives: https://www.listbox.com/member/archive/735/=now
RSS Feed: https://www.listbox.com/member/archive/rss/735/
Powered by Listbox: http://www.listbox.com


dmquigg-spf at yahoo

Jan 9, 2009, 10:39 AM

Post #31 of 53 (4564 views)
Permalink
Re: SPF on HELO - take 2 [In reply to]

At 12:01 PM 1/9/2009 -0600, Don Lee wrote:

>Are there any cases where the SPF records that were "intended" for MAIL FROM
>would be misleading or otherwise harmful if used for HELO? My conclusion
>is that there are no problems here. All SPF records published should be
>usable to safely vet MTA connections as outlined in this thread.
>I can not think of any cases where an SPF record intended to allow
>a MAIL FROM domain of XXX would exclude XXX in HELO checking.

The problem is, if we reject at HELO, based on an SPF record for MAIL FROM, we are re-interpreting the SPF record in a way that the domain owner may not have intended. Even if there is no intention that there be a discrepancy, it can occur because HELO checking using SPF records is so rare. A few years ago, I wanted to use the SPF record from rr.com, with over 1 million authorized addresses, to reject at HELO. I got assurance from the postmaster at rr.com that their SPF record listed *all* of their transmitters. I noticed that his message to me was from a transmitter not on his list. "Oh that's just one of our administrative servers." He didn't feel it was necessary to make any changes!!

I would like to REJECT anyway. The postmaster at XXX will see the SMTP REJECT immediately. The fix is simple - just change either the HELO name or the SPF record, so there is a match.

I won't do this without consensus in the SPF community.

-- Dave





-------------------------------------------
Sender Policy Framework: http://www.openspf.org
Modify Your Subscription: http://www.listbox.com/member/
Archives: https://www.listbox.com/member/archive/735/=now
RSS Feed: https://www.listbox.com/member/archive/rss/735/
Powered by Listbox: http://www.listbox.com


stuart at bmsi

Jan 9, 2009, 12:03 PM

Post #32 of 53 (4559 views)
Permalink
Re: SPF on HELO - take 2 [In reply to]

On Fri, 9 Jan 2009, Scott Kitterman wrote:

> AFAIK, no. There are people that will argue layer violations, but I'm
> completely unaware of any real situations where it would be problematic.

RFC4408 explicitly says to apply SPF to HELO for empty MAIL FROM.
I guess the leap here is to apply it to HELO for all MAIL FROMs.

> > (The only case I can think of is where the admin depends on softfail, and
> > deliberately uses an MTA that is not in the explicit IP list.
> > That would be a really dumb thing to do, but......)
> >
> > If this is correct, it would be good to add a few words in the "marketing
> > literature" to say so.
> >
>
> I believe it's correct.
>
> I'm all in favor of better marketing literature, but lack the time to write
> it. Patches gratefully accepted.
>
> If you (or anyone) has suggestions on how better to describe this on the
> openspf.org web site, please send text.

The CSV folks won't be happy. CSV does a slightly better job at HELO
checking - but hasn't gotten the traction. I've had CSV checking on
my TODO list for some time - any examples of real CSV records out there?

--
Stuart D. Gathman <stuart [at] bmsi>
Business Management Systems Inc. Phone: 703 591-0911 Fax: 703 591-6154
"Confutatis maledictis, flammis acribus addictis" - background song for
a Microsoft sponsored "Where do you want to go from here?" commercial.


-------------------------------------------
Sender Policy Framework: http://www.openspf.org
Modify Your Subscription: http://www.listbox.com/member/
Archives: https://www.listbox.com/member/archive/735/=now
RSS Feed: https://www.listbox.com/member/archive/rss/735/
Powered by Listbox: http://www.listbox.com


scott at kitterman

Jan 9, 2009, 12:16 PM

Post #33 of 53 (4554 views)
Permalink
Re: SPF on HELO - take 2 [In reply to]

On Friday 09 January 2009 15:03, Stuart D. Gathman wrote:
> On Fri, 9 Jan 2009, Scott Kitterman wrote:
> > AFAIK, no. There are people that will argue layer violations, but I'm
> > completely unaware of any real situations where it would be problematic.
>
> RFC4408 explicitly says to apply SPF to HELO for empty MAIL FROM.
> I guess the leap here is to apply it to HELO for all MAIL FROMs.

It's not much of a leap. It's recommended:

http://www.openspf.org/RFC_4408#helo-ident

"It is RECOMMENDED that SPF clients not only check the "MAIL FROM" identity,
but also separately check the "HELO" identity by applying the check_host()
function (Section 4) to the "HELO" identity as the <sender>."

We're coming up on the third anniversary of RFC 4408. I think it's reasonable
to assume that using an SPF record for HELO should not be a suprise. I'm
unaware of it ever causing an actual problem.

Scott K


-------------------------------------------
Sender Policy Framework: http://www.openspf.org
Modify Your Subscription: http://www.listbox.com/member/
Archives: https://www.listbox.com/member/archive/735/=now
RSS Feed: https://www.listbox.com/member/archive/rss/735/
Powered by Listbox: http://www.listbox.com


dmquigg-spf at yahoo

Jan 9, 2009, 1:26 PM

Post #34 of 53 (4549 views)
Permalink
Re: SPF on HELO - take 2 [In reply to]

At 03:03 PM 1/9/2009 -0500, Stuart D. Gathman wrote:

>CSV does a slightly better job at HELO checking - but hasn't gotten the traction. I've had CSV checking on
>my TODO list for some time - any examples of real CSV records out there?

_client._smtp.open-mail.org. 1800 IN SRV 1 2 1 mailout.open-mail.org.

I think I may be the only one left on the planet, however.

SPF actually has a better shot than CSV at "doing the job" of HELO checking. CSV had to convince DNS services all over the world that they should implement these weird SRV records. The only thing holding SPF back is a slight re-interpretation, one that will not break any existing setups.

-- Dave





-------------------------------------------
Sender Policy Framework: http://www.openspf.org
Modify Your Subscription: http://www.listbox.com/member/
Archives: https://www.listbox.com/member/archive/735/=now
RSS Feed: https://www.listbox.com/member/archive/rss/735/
Powered by Listbox: http://www.listbox.com


spfdiscuss at caution

Jan 9, 2009, 3:54 PM

Post #35 of 53 (4546 views)
Permalink
Re: SPF on HELO - take 2 [In reply to]

At 3:16 PM -0500 1/9/09, Scott Kitterman wrote:
>On Friday 09 January 2009 15:03, Stuart D. Gathman wrote:
>> On Fri, 9 Jan 2009, Scott Kitterman wrote:
>> > AFAIK, no. There are people that will argue layer violations, but I'm
>> > completely unaware of any real situations where it would be problematic.
>>
>> RFC4408 explicitly says to apply SPF to HELO for empty MAIL FROM.
>> I guess the leap here is to apply it to HELO for all MAIL FROMs.
>
>It's not much of a leap. It's recommended:
>
>http://www.openspf.org/RFC_4408#helo-ident
>
>"It is RECOMMENDED that SPF clients not only check the "MAIL FROM" identity,
>but also separately check the "HELO" identity by applying the check_host()
>function (Section 4) to the "HELO" identity as the <sender>."
>
>We're coming up on the third anniversary of RFC 4408. I think it's reasonable
>to assume that using an SPF record for HELO should not be a suprise. I'm
>unaware of it ever causing an actual problem.
>
>Scott K

I detect emphatic agreement on this thread. I will work on the text/patches
in question and present it to this list this weekend.
(However, If anyone beats me to it, I will _not_ be offended. ;-> )

-dgl-


-------------------------------------------
Sender Policy Framework: http://www.openspf.org
Modify Your Subscription: http://www.listbox.com/member/
Archives: https://www.listbox.com/member/archive/735/=now
RSS Feed: https://www.listbox.com/member/archive/rss/735/
Powered by Listbox: http://www.listbox.com


WebMaster at Commerco

Jan 9, 2009, 4:18 PM

Post #36 of 53 (4556 views)
Permalink
Re: SPF on HELO - take 2 [In reply to]

Don,

"I detect emphatic agreement on this thread." - No small achievement
with this group. ;-)

Best,

Alan

At 04:54 PM 1/9/2009, you wrote:
>At 3:16 PM -0500 1/9/09, Scott Kitterman wrote:
> >On Friday 09 January 2009 15:03, Stuart D. Gathman wrote:
> >> On Fri, 9 Jan 2009, Scott Kitterman wrote:
> >> > AFAIK, no. There are people that will argue layer violations, but I'm
> >> > completely unaware of any real situations where it would be problematic.
> >>
> >> RFC4408 explicitly says to apply SPF to HELO for empty MAIL FROM.
> >> I guess the leap here is to apply it to HELO for all MAIL FROMs.
> >
> >It's not much of a leap. It's recommended:
> >
> >http://www.openspf.org/RFC_4408#helo-ident
> >
> >"It is RECOMMENDED that SPF clients not only check the "MAIL FROM"
> identity,
> >but also separately check the "HELO" identity by applying the check_host()
> >function (Section 4) to the "HELO" identity as the <sender>."
> >
> >We're coming up on the third anniversary of RFC 4408. I think
> it's reasonable
> >to assume that using an SPF record for HELO should not be a suprise. I'm
> >unaware of it ever causing an actual problem.
> >
> >Scott K
>
>I detect emphatic agreement on this thread. I will work on the text/patches
>in question and present it to this list this weekend.
>(However, If anyone beats me to it, I will _not_ be offended. ;-> )
>
>-dgl-
>
>
>-------------------------------------------
>Sender Policy Framework: http://www.openspf.org
>Modify Your Subscription: http://www.listbox.com/member/
>Archives: https://www.listbox.com/member/archive/735/=now
>RSS Feed: https://www.listbox.com/member/archive/rss/735/
>Powered by Listbox: http://www.listbox.com



-------------------------------------------
Sender Policy Framework: http://www.openspf.org
Modify Your Subscription: http://www.listbox.com/member/
Archives: https://www.listbox.com/member/archive/735/=now
RSS Feed: https://www.listbox.com/member/archive/rss/735/
Powered by Listbox: http://www.listbox.com


vesely at tana

Jan 10, 2009, 1:44 AM

Post #37 of 53 (4537 views)
Permalink
Re: SPF on HELO - take 2 [In reply to]

David MacQuigg wrote:
> At 12:01 PM 1/9/2009 -0600, Don Lee wrote:
>
>>Are there any cases where the SPF records that were "intended" for MAIL FROM
>>would be misleading or otherwise harmful if used for HELO? My conclusion
>>is that there are no problems here. All SPF records published should be
>>usable to safely vet MTA connections as outlined in this thread.
>
> The problem is, if we reject at HELO, based on an SPF record for MAIL FROM, we are re-interpreting the SPF record in a way that the domain owner may not have intended. Even if there is no intention that there be a discrepancy, it can occur because HELO checking using SPF records is so rare.

One reason may be that hostmasters often forget to set that TXT
record. Many MTAs use the server's FQDN, e.g. mailout.example.com, as
a helo name. That requires a TXT record for mailout.example.com: the
TXT record for example.com won't be used for the HELO check in this
case. OTOH, if "example.com" has no A record, it is not advisable to
use that as a helo name (is it?)

From a marketing logic POV, IMHO, it may make sense to hold that an
additional TXT record for the machine name is required in case that
server ever sends out a bounce with null MAIL FROM. That's not the
only reason, though.


-------------------------------------------
Sender Policy Framework: http://www.openspf.org
Modify Your Subscription: http://www.listbox.com/member/
Archives: https://www.listbox.com/member/archive/735/=now
RSS Feed: https://www.listbox.com/member/archive/rss/735/
Powered by Listbox: http://www.listbox.com


spf-discuss at winserver

Jan 10, 2009, 7:49 AM

Post #38 of 53 (4539 views)
Permalink
Re: SPF on HELO - take 2 [In reply to]

David MacQuigg wrote:
> At 03:03 PM 1/9/2009 -0500, Stuart D. Gathman wrote:
>
>> CSV does a slightly better job at HELO checking - but hasn't gotten the traction. I've had CSV checking on
>> my TODO list for some time - any examples of real CSV records out there?
>
> _client._smtp.open-mail.org. 1800 IN SRV 1 2 1 mailout.open-mail.org.
>
> I think I may be the only one left on the planet, however.
>
> SPF actually has a better shot than CSV at "doing the job" of
> HELO checking. CSV had to convince DNS services all over the
> world that they should implement these weird SRV records.
> The only thing holding SPF back is a slight re-interpretation,
> one that will not break any existing setups.

The problem with CSV (and DKIM for that matter) was its tie ins by
their authors and friends to reputations services.

IMO, anything that requires "Batteries" isn't going to get too much
across the board endorsement.

Don't worry. Once DKIM/ADSP is finished, I got $20 bucks riding we
will be seeing Dave Crocker once again pushing CSV to, in his eyes,
"Complete the picture."


--
Hector, Engineering & Technical Support
Santronics Software, Inc.
http://www.santronics.com (sales)
http://www.winserver.com (support)
http://www.winserver.com/AupInfo (Online AUP Help)
Office: 305-248-3204



-------------------------------------------
Sender Policy Framework: http://www.openspf.org
Modify Your Subscription: http://www.listbox.com/member/
Archives: https://www.listbox.com/member/archive/735/=now
RSS Feed: https://www.listbox.com/member/archive/rss/735/
Powered by Listbox: http://www.listbox.com


dmquigg-spf at yahoo

Jan 10, 2009, 9:23 AM

Post #39 of 53 (4530 views)
Permalink
Re: SPF on HELO - take 2 [In reply to]

At 05:54 PM 1/9/2009 -0600, Don Lee wrote:

>At 3:16 PM -0500 1/9/09, Scott Kitterman wrote:
>>On Friday 09 January 2009 15:03, Stuart D. Gathman wrote:
>>> On Fri, 9 Jan 2009, Scott Kitterman wrote:
>>> > AFAIK, no. There are people that will argue layer violations, but I'm
>>> > completely unaware of any real situations where it would be problematic.
>>>
>>> RFC4408 explicitly says to apply SPF to HELO for empty MAIL FROM.
>>> I guess the leap here is to apply it to HELO for all MAIL FROMs.
>>
>>It's not much of a leap. It's recommended:
>>
>>http://www.openspf.org/RFC_4408#helo-ident
>>
>>"It is RECOMMENDED that SPF clients not only check the "MAIL FROM" identity,
>>but also separately check the "HELO" identity by applying the check_host()
>>function (Section 4) to the "HELO" identity as the <sender>."
>>
>>We're coming up on the third anniversary of RFC 4408. I think it's reasonable
>>to assume that using an SPF record for HELO should not be a suprise. I'm
>>unaware of it ever causing an actual problem.
>>
>>Scott K
>
>I detect emphatic agreement on this thread. I will work on the text/patches
>in question and present it to this list this weekend.

Think big. This may be an opportunity to make SPF records serve both purposes, not just an afterthought on the HELO check. As for layer violations, a "helo" option could show the publishers intent to offer a simple, robust HELO check (layer 1), even if the record ends in ?all because of worry about mishandling the MAIL FROM check (layer 2).

Here is my suggestion for an "all purpose" SPF record, covering both the HELO and Mail From Identities:

1) Use IP4, MX, and A terms to list your own HELO addresses.
2) Use INCLUDE terms to list the domains of other Agents who handle your outgoing mail.
3) Minimize your use of other terms.

-- Dave





-------------------------------------------
Sender Policy Framework: http://www.openspf.org
Modify Your Subscription: http://www.listbox.com/member/
Archives: https://www.listbox.com/member/archive/735/=now
RSS Feed: https://www.listbox.com/member/archive/rss/735/
Powered by Listbox: http://www.listbox.com


stuart at bmsi

Jan 10, 2009, 6:57 PM

Post #40 of 53 (4592 views)
Permalink
Re: SPF on HELO - take 2 [In reply to]

On Sat, 10 Jan 2009, David MacQuigg wrote:

> Here is my suggestion for an "all purpose" SPF record, covering both the HELO
> and Mail From Identities:

Generally, the HELO domain is different from the MAIL FROM domain, so there
is no conflict.

example.com TXT "v=spf1 mx -all"
mx1.example.com TXT "v=spf1 a -all"
mx2.example.com TXT "v=spf1 a -all"

--
Stuart D. Gathman <stuart [at] bmsi>
Business Management Systems Inc. Phone: 703 591-0911 Fax: 703 591-6154
"Confutatis maledictis, flammis acribus addictis" - background song for
a Microsoft sponsored "Where do you want to go from here?" commercial.


-------------------------------------------
Sender Policy Framework: http://www.openspf.org
Modify Your Subscription: http://www.listbox.com/member/
Archives: https://www.listbox.com/member/archive/735/=now
RSS Feed: https://www.listbox.com/member/archive/rss/735/
Powered by Listbox: http://www.listbox.com


dmquigg-spf at yahoo

Jan 11, 2009, 4:00 AM

Post #41 of 53 (4541 views)
Permalink
Re: SPF on HELO - take 2 [In reply to]

At 09:57 PM 1/10/2009 -0500, Stuart D. Gathman wrote:

>On Sat, 10 Jan 2009, David MacQuigg wrote:
>
>> Here is my suggestion for an "all purpose" SPF record, covering both the HELO
>> and Mail From Identities:
>
>Generally, the HELO domain is different from the MAIL FROM domain, so there
>is no conflict.
>
>example.com TXT "v=spf1 mx -all"
>mx1.example.com TXT "v=spf1 a -all"
>mx2.example.com TXT "v=spf1 a -all"

We need a way to use *one record* for both the MAIL FROM and HELO checks. Very few domains publish SPF records for each and every HELO name. I don't believe "evangelism" will ever change that.

For example, google.com's SPF record authorizes 147456 addresses:

+++>>> 3: SPF records
-->3a: v=spf1 include:_netblocks.google.com ~all
64.18.0.0/20 4096
64.233.160.0/19 8192
66.102.0.0/20 4096
66.249.80.0/20 4096
72.14.192.0/18 16384
74.125.0.0/16 65536
207.126.144.0/20 4096
209.85.128.0/17 32768
216.239.32.0/19 8192
Totals: 9 147456

We can't expect them to publish that many SPF records. A better alternative is to say that an SPF record will apply in a simpler way to HELO names (ignoring ?all and all the troublesome mechanisms that have generated so much opposition).

-- Dave





-------------------------------------------
Sender Policy Framework: http://www.openspf.org
Modify Your Subscription: http://www.listbox.com/member/
Archives: https://www.listbox.com/member/archive/735/=now
RSS Feed: https://www.listbox.com/member/archive/rss/735/
Powered by Listbox: http://www.listbox.com


spfdiscuss at caution

Jan 12, 2009, 1:01 AM

Post #42 of 53 (4512 views)
Permalink
Re: SPF on HELO - take 2 [In reply to]

Interim report: (not done yet - still reading)

I see several places that need massaging:

http://www.openspf.org/SPF_Record_Syntax - Describe the purpose of the SPF
record in terms that highlights its use as both a MAIL FROM and HELO check.

http://old.openspf.org/wizard.html - mention HELO in text

http://www.kitterman.com/spf/validate.html - change check near bottom of page
so it checks the HELO, and explains that the HELO is provided by the outgoing
mail server. This is all for admins, not users, so this should be
OK.

http://www.openspf.org/FAQ/Common_mistakes - There is explicit HELO mention
here. I would think that in light of conversation here, we could massage
this to lower the wall between HELO and MAIL FROM.

http://www.openspf.org/FAQ/One_record_for_each_domain - It would be good to work
HELO in here. I would be inclined to tilt the verbiage toward SPF being
an explicit authorization for certain IPs to use the domain name in email
delivery - including the HELO announcement of the MTA.

http://www.openspf.org/FAQ/What_it_does - same here. Can we tilt the
explanation from being a spam gate to being an "email authorization tag"
that can be used by the receiver?

http://www.openspf.org/FAQ/Forwarding - "For HELO checking, no worries, ...."

working.... Spirited discussions can start when I get more specific.

-dgl-



-------------------------------------------
Sender Policy Framework: http://www.openspf.org
Modify Your Subscription: http://www.listbox.com/member/
Archives: https://www.listbox.com/member/archive/735/=now
RSS Feed: https://www.listbox.com/member/archive/rss/735/
Powered by Listbox: http://www.listbox.com


iane at sussex

Jan 12, 2009, 2:52 AM

Post #43 of 53 (4511 views)
Permalink
Re: SPF on HELO - take 2 [In reply to]

--On 9 January 2009 16:04:25 +0100 Alessandro Vesely <vesely [at] tana> wrote:

> Don Lee wrote:
>>> CSV and David's _auth mechanisms do that check with much less effort
>>> and more reliability than SPF --those mechanisms provide for denying an
>>> IP to send mail for a given domain.
>>
>> Can you explain? What is "CSV and David's _auth"?
>
> Two methods designed for establishing who is authorized to relay mail in
> a hierarchically authoritative fashion, i.e. using DNS "properly" (as
> opposed to DNSBL non-hierarchical scheme.)
>
> For more info, see
> http://en.wikipedia.org/wiki/Certified_Server_Validation

That seems to be a combination of (A) checking that the domain authorises
the sending IP address to email from that domain (like SPF's HELO
implementation), followed by (B) verifying the reputation of the domain.

> http://open-mail.org/Registry.html

Apparently, this is similar but can use parts of existing SPF records for
part (A). Seems quite useful, but I think that better separation of
authorisation and reputation management would help.


>
>
> -------------------------------------------
> Sender Policy Framework: http://www.openspf.org
> Modify Your Subscription: http://www.listbox.com/member/
> Archives: https://www.listbox.com/member/archive/735/=now
> RSS Feed: https://www.listbox.com/member/archive/rss/735/
> Powered by Listbox: http://www.listbox.com



--
Ian Eiloart
IT Services, University of Sussex
x3148


-------------------------------------------
Sender Policy Framework: http://www.openspf.org
Modify Your Subscription: http://www.listbox.com/member/
Archives: https://www.listbox.com/member/archive/735/=now
RSS Feed: https://www.listbox.com/member/archive/rss/735/
Powered by Listbox: http://www.listbox.com


vesely at tana

Jan 12, 2009, 3:24 AM

Post #44 of 53 (4518 views)
Permalink
Re: Interim report (was: SPF on HELO - take 2) [In reply to]

Don Lee wrote:
> Interim report: (not done yet - still reading)
>
> I see several places that need massaging:
>
> http://www.openspf.org/SPF_Record_Syntax - Describe the purpose of the SPF
> record in terms that highlights its use as both a MAIL FROM and HELO check.
>
> http://old.openspf.org/wizard.html - mention HELO in text
>
> http://www.kitterman.com/spf/validate.html - change check near bottom of page
> so it checks the HELO, and explains that the HELO is provided by the outgoing
> mail server. This is all for admins, not users, so this should be
> OK.
>
> http://www.openspf.org/FAQ/Common_mistakes - There is explicit HELO mention
> here. I would think that in light of conversation here, we could massage
> this to lower the wall between HELO and MAIL FROM.
>
> http://www.openspf.org/FAQ/One_record_for_each_domain - It would be good to work
> HELO in here. I would be inclined to tilt the verbiage toward SPF being
> an explicit authorization for certain IPs to use the domain name in email
> delivery - including the HELO announcement of the MTA.
>
> http://www.openspf.org/FAQ/What_it_does - same here. Can we tilt the
> explanation from being a spam gate to being an "email authorization tag"
> that can be used by the receiver?
>
> http://www.openspf.org/FAQ/Forwarding - "For HELO checking, no worries, ...."

Please mind also http://www.openspf.org/FAQ/The_demon_question
Its advice to SPF publishers is correct, but it is not explained (nor
entitled) adequately. A short script to generate those records might
also be handy; e.g. the following one-liner
perl -n -e 'if
(m/^([a-z0-9]+)\s+IN\s+A\s+[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\s*$/)
{printf "%-16sIN TXT \"v=spf1 -all\"\n", $1;}' /your/zone/file


-------------------------------------------
Sender Policy Framework: http://www.openspf.org
Modify Your Subscription: http://www.listbox.com/member/
Archives: https://www.listbox.com/member/archive/735/=now
RSS Feed: https://www.listbox.com/member/archive/rss/735/
Powered by Listbox: http://www.listbox.com


stuart at bmsi

Jan 12, 2009, 7:15 AM

Post #45 of 53 (4506 views)
Permalink
Re: SPF on HELO - take 2 [In reply to]

On Sun, 11 Jan 2009, David MacQuigg wrote:

> >Generally, the HELO domain is different from the MAIL FROM domain, so there
> >is no conflict.
> >
> >example.com TXT "v=spf1 mx -all"
> >mx1.example.com TXT "v=spf1 a -all"
> >mx2.example.com TXT "v=spf1 a -all"
>
> We need a way to use *one record* for both the MAIL FROM and HELO checks.
> Very few domains publish SPF records for each and every HELO name. I don't
> believe "evangelism" will ever change that.

That is trivial too. You can pick any name you wish for HELO, including
a domain the same as MAIL FROM.

--
Stuart D. Gathman <stuart [at] bmsi>
Business Management Systems Inc. Phone: 703 591-0911 Fax: 703 591-6154
"Confutatis maledictis, flammis acribus addictis" - background song for
a Microsoft sponsored "Where do you want to go from here?" commercial.


-------------------------------------------
Sender Policy Framework: http://www.openspf.org
Modify Your Subscription: http://www.listbox.com/member/
Archives: https://www.listbox.com/member/archive/735/=now
RSS Feed: https://www.listbox.com/member/archive/rss/735/
Powered by Listbox: http://www.listbox.com


dmquigg-spf at yahoo

Jan 12, 2009, 8:55 AM

Post #46 of 53 (4512 views)
Permalink
Re: SPF on HELO - take 2 [In reply to]

At 10:15 AM 1/12/2009 -0500, Stuart D. Gathman wrote:

>On Sun, 11 Jan 2009, David MacQuigg wrote:
>
>> >Generally, the HELO domain is different from the MAIL FROM domain, so there
>> >is no conflict.
>> >
>> >example.com TXT "v=spf1 mx -all"
>> >mx1.example.com TXT "v=spf1 a -all"
>> >mx2.example.com TXT "v=spf1 a -all"
>>
>> We need a way to use *one record* for both the MAIL FROM and HELO checks.
>> Very few domains publish SPF records for each and every HELO name. I don't
>> believe "evangelism" will ever change that.
>
>That is trivial too. You can pick any name you wish for HELO, including
>a domain the same as MAIL FROM.

I would expect some resistance to this from the IETF. RFRC-5321 (see below) seems to say that the name has to be specific to one client machine. I have also heard some discussion (I can't recall where), in which a large ESP was criticized for putting only its domain name in the HELO command.

Even if we got all transmitters to change their HELO names, we would still have a problem with re-interpretation of the SPF record. Can we ignore ?all and REJECT connections without the domain owner's explicit permission?

-- Dave


http://tools.ietf.org/html/rfc5321#page-32

4.1.1.1. Extended HELLO (EHLO) or HELLO (HELO)

These commands are used to identify the SMTP client to the SMTP
server. The argument clause contains the fully-qualified domain name
of the SMTP client, if one is available. In situations in which the
SMTP client system does not have a meaningful domain name (e.g., when
its address is dynamically allocated and no reverse mapping record is
available), the client SHOULD send an address literal (see
<http://tools.ietf.org/html/rfc5321#section-4.1.3>Section 4.1.3).







-------------------------------------------
Sender Policy Framework: http://www.openspf.org
Modify Your Subscription: http://www.listbox.com/member/
Archives: https://www.listbox.com/member/archive/735/=now
RSS Feed: https://www.listbox.com/member/archive/rss/735/
Powered by Listbox: http://www.listbox.com


scott at kitterman

Jan 12, 2009, 9:02 AM

Post #47 of 53 (4511 views)
Permalink
Re: SPF on HELO - take 2 [In reply to]

On Sun, 11 Jan 2009 05:00:25 -0700 David MacQuigg <dmquigg-spf [at] yahoo>
wrote:
>At 09:57 PM 1/10/2009 -0500, Stuart D. Gathman wrote:
>
>>On Sat, 10 Jan 2009, David MacQuigg wrote:
>>
>>> Here is my suggestion for an "all purpose" SPF record, covering both
the HELO
>>> and Mail From Identities:
>>
>>Generally, the HELO domain is different from the MAIL FROM domain, so
there
>>is no conflict.
>>
>>example.com TXT "v=spf1 mx -all"
>>mx1.example.com TXT "v=spf1 a -all"
>>mx2.example.com TXT "v=spf1 a -all"
>
>We need a way to use *one record* for both the MAIL FROM and HELO checks.
Very few domains publish SPF records for each and every HELO name. I don't
believe "evangelism" will ever change that.
>
>For example, google.com's SPF record authorizes 147456 addresses:
>
>+++>>> 3: SPF records
>-->3a: v=spf1 include:_netblocks.google.com ~all
>64.18.0.0/20 4096
>64.233.160.0/19 8192
>66.102.0.0/20 4096
>66.249.80.0/20 4096
>72.14.192.0/18 16384
>74.125.0.0/16 65536
>207.126.144.0/20 4096
>209.85.128.0/17 32768
>216.239.32.0/19 8192
> Totals: 9 147456
>
>We can't expect them to publish that many SPF records. A better
alternative is to say that an SPF record will apply in a simpler way to
HELO names (ignoring ?all and all the troublesome mechanisms that have
generated so much opposition).
>
It's up to them. It'll not like they write their zone files by hand.
Adding HELO records is trivial scriptable.

We had a tree walking algorithm in some pre-RFC draft, but it proved
problematic and was removed.

Scott K


-------------------------------------------
Sender Policy Framework: http://www.openspf.org
Modify Your Subscription: http://www.listbox.com/member/
Archives: https://www.listbox.com/member/archive/735/=now
RSS Feed: https://www.listbox.com/member/archive/rss/735/
Powered by Listbox: http://www.listbox.com


vesely at tana

Jan 12, 2009, 9:04 AM

Post #48 of 53 (4507 views)
Permalink
Re: SPF on HELO - take 2 [In reply to]

Stuart D. Gathman wrote:
> On Sun, 11 Jan 2009, David MacQuigg wrote:
>> >Generally, the HELO domain is different from the MAIL FROM domain, so there
>> >is no conflict.
>> >
>> >example.com TXT "v=spf1 mx -all"
>> >mx1.example.com TXT "v=spf1 a -all"
>> >mx2.example.com TXT "v=spf1 a -all"
>>
>> We need a way to use *one record* for both the MAIL FROM and HELO checks.
>> Very few domains publish SPF records for each and every HELO name. I don't
>> believe "evangelism" will ever change that.
>
> That is trivial too. You can pick any name you wish for HELO, including
> a domain the same as MAIL FROM.

However, doing so discards the possibility to use the helo name as a
"better and cheaper rDNS", that you mentioned earlier in this thread.
In addition, the sender would fail those draconian HELO-to-DNS checks,
if the MAIL FROM domain doesn't have the corresponding A record.

SPF does not currently provide for a _default.example.com record. Even
if it did, that would amount to two records, not *one*.

How many senders would be broken by a HELO test that checks against
each successive zone cut until it finds an SPF (or TXT) record?


-------------------------------------------
Sender Policy Framework: http://www.openspf.org
Modify Your Subscription: http://www.listbox.com/member/
Archives: https://www.listbox.com/member/archive/735/=now
RSS Feed: https://www.listbox.com/member/archive/rss/735/
Powered by Listbox: http://www.listbox.com


scott at kitterman

Jan 12, 2009, 9:05 AM

Post #49 of 53 (4502 views)
Permalink
Re: SPF on HELO - take 2 [In reply to]

On Mon, 12 Jan 2009 03:01:29 -0600 Don Lee
<spfdiscuss [at] caution> wrote:
>http://www.kitterman.com/spf/validate.html - change check near bottom of
page
>so it checks the HELO, and explains that the HELO is provided by the
outgoing
>mail server. This is all for admins, not users, so this should be
>OK.

Send me a patch and I'll be glad to publish it. I don't have a lot of time
to work on this right now.

Scott K


-------------------------------------------
Sender Policy Framework: http://www.openspf.org
Modify Your Subscription: http://www.listbox.com/member/
Archives: https://www.listbox.com/member/archive/735/=now
RSS Feed: https://www.listbox.com/member/archive/rss/735/
Powered by Listbox: http://www.listbox.com


scott at kitterman

Jan 12, 2009, 9:11 AM

Post #50 of 53 (4513 views)
Permalink
Re: SPF on HELO - take 2 [In reply to]

On Mon, 12 Jan 2009 09:55:21 -0700 David MacQuigg <dmquigg-spf [at] yahoo>
wrote:
...
>Even if we got all transmitters to change their HELO names, we would still
have a problem with re-interpretation of the SPF record. Can we ignore
?all and REJECT connections without the domain owner's explicit permission?
>

What re-interpretation?

Receivers never need permission to reject. Senders cannot dictate receiver
policy.

Scott K


-------------------------------------------
Sender Policy Framework: http://www.openspf.org
Modify Your Subscription: http://www.listbox.com/member/
Archives: https://www.listbox.com/member/archive/735/=now
RSS Feed: https://www.listbox.com/member/archive/rss/735/
Powered by Listbox: http://www.listbox.com

First page Previous page 1 2 3 Next page Last page  View All SPF discuss RSS feed   Index | Next | Previous | View Threaded
 
 


Interested in having your list archived? Contact Gossamer Threads
 
  Web Applications & Managed Hosting Powered by Gossamer Threads Inc.