alex at ergens
Jul 13, 2009, 10:09 AM
Post #9 of 17
(2795 views)
Permalink
|
----- Original Message -----
From: "Stuart D. Gathman" <stuart [at] bmsi>
To: <spf-discuss [at] v2>
Sent: Monday, July 13, 2009 6:34 PM
Subject: Re: [spf-discuss] Feature request for SPFv3
> On Sat, 11 Jul 2009, Alex van den Bogaerdt wrote:
>
>> > In my "best-guess" algorithm, a validated HELO (that resolves to the
>> > connect ip)
>> > is added to the collection of validated PTR records for the PTR
>> > mechanism.
>> >
>> > I propose to make this a MUST behaviour for spfv3.
>>
>> It seems a newline is needed here. Your next line talks about HELO which
>> cannot be validated.
>
> HELO is "validated" in the same way a PTR record is - by checking for
> a match with connect ip.
My point is: either DNS is setup correctly, PTR records are setup, or it
isn't. "... find it difficult to get their ISP to maintain PTR records."
seems to indicate that DNS is not setup correctly.
Anyway, this does not seem to be important, read on.
>> > While SPF macros can select the rightmost parts of HELO,
>>
>> Why would one do this?
>
> To match it to the mail domain like with the SPF ptr mechanism.
???
AFAIK the ptr mechanism does not tie helo to the mail domain.
>> > and it is
>> > possible for SPF to verify that HELO matches the connect ip (somewhat
>> > kludgily),
>>
>> Am I missing something? You seem to be describing the following:
[deleted by stuart: v=spf a -all]
> You are missing something. Think of HELO as a PTR record that is
> supplied via SMTP instead of a DNS lookup.
Verifying that the connected IP and the HELO parameter match, is done using
the "a" mechanism.
Even if the DNS in-addr.arpa entry points to that bigisp, which then points
back to the IP address, "v=spf1 a -all" will still validate an HELO
parameter like "smtp-out.example.com".
>> > I haven't hit on a way to check that the rightmost parts
>> > of HELO match the MAILFROM domain using spfv1.
>>
>> The ptr mechanism, which should be abandoned IMHO, does this. But indeed
>> that needs a properly setup DNS. It seems that you propose something like
>> "heloptr" which would use the HELO parameter instead of what is found in
>> the
>> in-addr.arpa part of the DNS tree. Those who are unable or unwilling to
>> setup DNS correctly, won't understand that "heloptr" would also match
>> dyn-10-1-2-3.customer.example.com. This may or may not be harmful, but is
>> probably not what was intended.
>
> It is what was intended. When example.com contracts with bigisp.com to
> provide a dsl account with a small static IP block (typically /29), the
> problem
> is that bigisp.com is typically unable to reliably provide PTR records
> chosen by example.com[*]. However, the PTR record they do chose will
> be something like 'dyn-10-1-2-3.bigisp.com', *not*
> 'dyn-10-1-2-3.example.com',
> (never mind that the contract is for static ips).
I chose "example.com" because of RFC 2606. Anyway...
Why would dyn-10-1-2-4.bigisp.com need to be authorized?
(notice: 4, not 3)
After all, if you're going to take the rightmost part of the HELO string,
both end in bigisp.com or in example.com, whatever it is you're trying to
tell us ...
I may not be the smartest one on this list but I'm not stupid and I don't
understand what you're trying to do. Perhaps you should write an example
smtp dialog, including some remarks where and why your "heloptr" would make
a difference, to make clear what you want. Thanks.
-------------------------------------------
Sender Policy Framework: http://www.openspf.org
Modify Your Subscription: http://www.listbox.com/member/
Archives: https://www.listbox.com/member/archive/735/=now
RSS Feed: https://www.listbox.com/member/archive/rss/735/
Powered by Listbox: http://www.listbox.com
|
