Mailing List Archive: SPF: Discuss

Resolving MFROM/HELO conflicts

Index | Next | Previous | View Threaded

stuart at bmsi

Jan 13, 2010, 10:00 AM

Post #1 of 20 (3324 views)
Permalink

Resolving MFROM/HELO conflicts

Here is a little nit that wasn't addressed in RFC4408. If HELO SPF says
to reject, but SPF for MAIL FROM says Pass, which takes precedence? For
spfv1, I think we are stuck with "receiver policy" (especially since
checking HELO is optional). Should we specify a precedence for spfv3?
Make HELO check a MUST? Or keep HELO optional, but give precedence to
MFROM?

Here is an example for the latter. Set SPF for HELO to "v=spfv3sdg -all".
This has the effect of saying "this server only legitimately sends
MFROM with SPF" (with MFROM taking precedence).

We would probably need to specify the whole matrix of MFROM vs HELO
SPF results.

--
Stuart D. Gathman <stuart [at] bmsi>
Business Management Systems Inc. Phone: 703 591-0911 Fax: 703 591-6154
"Confutatis maledictis, flammis acribus addictis" - background song for
a Microsoft sponsored "Where do you want to go from here?" commercial.

-------------------------------------------
Sender Policy Framework: http://www.openspf.org [http://www.openspf.org]
Modify Your Subscription: http://www.listbox.com/member/ [http://www.listbox.com/member/]

Archives: https://www.listbox.com/member/archive/735/=now
RSS Feed: https://www.listbox.com/member/archive/rss/735/
Powered by Listbox: http://www.listbox.com

macquigg at ece

Jan 13, 2010, 11:54 AM

Post #2 of 20 (3268 views)
Permalink

Re: Resolving MFROM/HELO conflicts [In reply to]

Stuart D. Gathman wrote:
> Here is a little nit that wasn't addressed in RFC4408. If HELO SPF says
> to reject, but SPF for MAIL FROM says Pass, which takes precedence? For
> spfv1, I think we are stuck with "receiver policy" (especially since
> checking HELO is optional). Should we specify a precedence for spfv3?
> Make HELO check a MUST? Or keep HELO optional, but give precedence to
> MFROM?
>
> Here is an example for the latter. Set SPF for HELO to "v=spfv3sdg -all".
> This has the effect of saying "this server only legitimately sends
> MFROM with SPF" (with MFROM taking precedence).
>
> We would probably need to specify the whole matrix of MFROM vs HELO
> SPF results.
>
>
The HELO check should be mandatory, and should take precedence over the
MFROM check. There is no "forwarding problem" (or any other excuse for
failure) with the HELO check. Furthermore, all the "bells and whistles"
in an SPF record should not apply to the HELO check. It should be a
simple Pass/Fail, with an immediate SMTP REJECT on Fail.

This is the only way I can see SPF will ever fulfill its original
promise of eliminating domain name forgery.

--
************************************************************ *
* David MacQuigg, PhD email: macquigg at ece.arizona.edu * *
* Research Associate phone: USA 520-721-4583 * * *
* ECE Department, University of Arizona * * *
* 9320 East Mikelyn Lane * * *
* http://purl.net/macquigg Tucson, Arizona 85710 *
************************************************************ *

-------------------------------------------
Sender Policy Framework: http://www.openspf.org [http://www.openspf.org]
Modify Your Subscription: http://www.listbox.com/member/ [http://www.listbox.com/member/]

Archives: https://www.listbox.com/member/archive/735/=now
RSS Feed: https://www.listbox.com/member/archive/rss/735/
Powered by Listbox: http://www.listbox.com

spfdiscuss at alandoherty

Jan 13, 2010, 1:20 PM

Post #3 of 20 (3263 views)
Permalink

Re: Resolving MFROM/HELO conflicts [In reply to]

At 18:00 13/01/2010 Wednesday, Stuart D. Gathman wrote:
>Here is a little nit that wasn't addressed in RFC4408. If HELO SPF says
>to reject, but SPF for MAIL FROM says Pass, which takes precedence? For
>spfv1, I think we are stuck with "receiver policy" (especially since
>checking HELO is optional). Should we specify a precedence for spfv3?
>Make HELO check a MUST? Or keep HELO optional, but give precedence to
>MFROM?
>
>Here is an example for the latter. Set SPF for HELO to "v=spfv3sdg -all".
>This has the effect of saying "this server only legitimately sends
>MFROM with SPF" (with MFROM taking precedence).
>
>We would probably need to specify the whole matrix of MFROM vs HELO
>SPF results.

I hate to say it but on this we could take a leaf from M$

ie in spf3
add manditory /scope

v=spf3/helo rest of record...
or
v=spf3/mfrom rest of record...

or for those wanting to send from and helo as the same domain
v=spf3/helo/mfrom or spf3/mfrom/helo

but i would suggest not allowing that and forcing either
v=spf3/helo
or/and
v=spf3/mfrom

also i'd suggest when using the record to evaluate helo any ?all ~all -all be treated equal as helo is a simple pass/fail scenario
also when evaluating helo currently it evaluates postmaster [at] hel i would suggest we could even drop the ?all ~all +all and [localpart related macros] from the helo evaluation syntax

additionally as i suggested previously it would also allow us to subsume those that use/check sender-id by allowing those that believe in that mess to add
v=spf3/pra to their mix
{but to treat records as only applicable to the scope as published}
ie so when i publish a
v=spf3/mfrom ............ -all
v=spf3/helo -all
for my domain it explicitly says i have no host heloing as "alandoherty.net"
test mfrom and never attempt-to-validate pra

likewise i could publish a much smaller spf for bigsvr.alandoherty.net
v=spf3/mfrom -all
v=spf3/helo ........ -all

instead of the one atm that through macros and wildcard DNS validates only postmaster [at] bigsvr so outgoing service users cannot send from @bigsvr.alandoherty.net

to handle users only publishing a partial scope id recomend

users publishing no v=spf3 records for a domain would be defaulted to spf1 or lacking that
equivalent to
v=spf3/mfrom assumed pass
v=spf3/helo assumed pass

users only publishing a v=spf3/mfrom on a domain
must be assumed to have a v=spf3/helo of -all {NEW}

users only publishing a v=spf3/helo on a domain
must be assumed to have a v=spf3/mfrom which passes

and it would be hoped that all spfv3 checking functions would always check helo
if fail thats it!
if pass or assumed pass due to no record then continue on to check the mfrom details

i know its how i code my checks currently, but as so few even bother to put up any spf for helo-domains it would be great to see it a mandated check, but still pass for those forced to use an ISP relay with no spf for its helo

i do also think adding syntax to mfrom spf checks to explicitly say "if the helo didn't pass/have an spf, dump" would be unnecessary for those with all their own MTA's as they wont allow attempted use of their mfrom from outside those hosts they control.
so if it gets to the mform check the sender already passed helo check, or had no helo SPF, if they had no helo SPF, what chance is their that their sending IP is in the allowed range for the mfrom

-------------------------------------------
Sender Policy Framework: http://www.openspf.org [http://www.openspf.org]
Modify Your Subscription: http://www.listbox.com/member/ [http://www.listbox.com/member/]

Archives: https://www.listbox.com/member/archive/735/=now
RSS Feed: https://www.listbox.com/member/archive/rss/735/
Powered by Listbox: http://www.listbox.com

stuart at bmsi

Jan 13, 2010, 2:39 PM

Post #4 of 20 (3276 views)
Permalink

Re: Resolving MFROM/HELO conflicts [In reply to]

> At 18:00 13/01/2010 Wednesday, Stuart D. Gathman wrote:
> >Here is a little nit that wasn't addressed in RFC4408. If HELO SPF says
> >to reject, but SPF for MAIL FROM says Pass, which takes precedence? For

On Wed, 13 Jan 2010, alan wrote:
> add manditory /scope
>
> v=spf3/helo rest of record...
> or
> v=spf3/mfrom rest of record...
> ... additional useful discussion that misses the original issue

Your proposal doesn't change the fact that HELO and MFROM may give
opposing results. The scope might be a good idea, but HELO != MFROM
domain in most cases anyway, so it is not an issue for this thread.

MacQuig suggests making HELO mandatory with precedence. (MUST check HELO,
if result is anything other than Pass, overall SPF result is Fail.)

My suggestion was to make HELO optional with MFROM having precedence.

Here is one possible matrix:

MFROM
HELO None Neutral Softfail Fail PermErr TempErr
None None Neutral Softfail Fail PermErr TempErr
Neutral Fail Fail Fail Fail PermErr TempErr
SoftFail Fail Fail Fail Fail PermErr TempErr
Fail Fail Fail Fail Fail PermErr TempErr
PermErr PermErr PermErr Softfail Fail PermErr TempErr
TempErr TempErr TempErr Softfail Fail PermErr TempErr
Pass Neutral Neutral Softfail Fail PermErr TempErr

--
Stuart D. Gathman <stuart [at] bmsi>
Business Management Systems Inc. Phone: 703 591-0911 Fax: 703 591-6154
"Confutatis maledictis, flammis acribus addictis" - background song for
a Microsoft sponsored "Where do you want to go from here?" commercial.

-------------------------------------------
Sender Policy Framework: http://www.openspf.org [http://www.openspf.org]
Modify Your Subscription: http://www.listbox.com/member/ [http://www.listbox.com/member/]

Archives: https://www.listbox.com/member/archive/735/=now
RSS Feed: https://www.listbox.com/member/archive/rss/735/
Powered by Listbox: http://www.listbox.com

spfdiscuss at alandoherty

Jan 13, 2010, 4:09 PM

Post #5 of 20 (3266 views)
Permalink

Re: Resolving MFROM/HELO conflicts [In reply to]

At 22:39 13/01/2010 Wednesday, Stuart D. Gathman wrote:
>> At 18:00 13/01/2010 Wednesday, Stuart D. Gathman wrote:
>> >Here is a little nit that wasn't addressed in RFC4408. If HELO SPF says
>> >to reject, but SPF for MAIL FROM says Pass, which takes precedence? For
>
>On Wed, 13 Jan 2010, alan wrote:
>> add manditory /scope
>>
>> v=spf3/helo rest of record...
>> or
>> v=spf3/mfrom rest of record...
>> ... additional useful discussion that misses the original issue
>
>Your proposal doesn't change the fact that HELO and MFROM may give
>opposing results. The scope might be a good idea, but HELO != MFROM
>domain in most cases anyway, so it is not an issue for this thread.
>
>MacQuig suggests making HELO mandatory with precedence. (MUST check HELO,
>if result is anything other than Pass, overall SPF result is Fail.)
>
>My suggestion was to make HELO optional with MFROM having precedence.

well heres the part of the {yes it was long} mail that stated my preference

"and it would be hoped that all spfv3 checking functions would always check helo
if fail thats it!
if pass or assumed pass due to no record then continue on to check the mfrom details"

my justification is if the owner of the HELO domain explicitly claims it is forged,
who cares if the ratware is within the ISP of the forged envelope-sender
{as the envelope-senders often have to allow large sweeps of IP's due to not having direct control of which IPS their ISP might designate to outgoing mail service}

>Here is one possible matrix:
>
> MFROM
>HELO None Neutral Softfail Fail PermErr TempErr Pass
>None None Neutral Softfail Fail PermErr TempErr ?
>Neutral Fail Fail Fail Fail PermErr TempErr ?
>SoftFail Fail Fail Fail Fail PermErr TempErr ?
>Fail Fail Fail Fail Fail PermErr TempErr ?
>PermErr PermErr PermErr Softfail Fail PermErr TempErr ?
>TempErr TempErr TempErr Softfail Fail PermErr TempErr ?
>Pass Neutral Neutral Softfail Fail PermErr TempErr ?

so to re-use your matrix i would suggest {if using scopes and not allowing ~all ?all in helo scope}
MFROM
None Neutral Softfail Fail PermErr TempErr pass
HELO
None None Neutral Softfail Fail PermErr TempErr pass
Fail Fail Fail Fail Fail Fail Fail fail
PermErr PermErr PermErr PermErr Fail PermErr TempErr pass
TempErr TempErr TempErr TempErr Fail TempErr TempErr pass
Pass Neutral Neutral Softfail Fail PermErr TempErr pass

but personally i would see no reason for 1 result for two entirely {logically} unrelated tests
I currently report to users MUA's HELO-SPF-PASS and HELO-SPF-NONE and reject at rcpt-to if HELO-SPF-FAIL {without ever looking-up the mail-from}
I only process the mail-from identity SPF if the HELO is already non-fail {i do not fail on neutral or softfail but in 3 years have never seen one {and i have a special logwatcher looking}}
this is reported to the user as a standard SPF result header {few users reject on mfrom-spf-fail due to badly setup spfs/forwarders/and invite spam {that they seem to want}

but with helo domain its fairly cut n dry it either is one of the outbound ip's of that server/cluster or it isn't

thats why i think separate the two results, even separate the utility/syntax for checking/reporting them.
thus if helo spf fails, receivers can mark the stream for later reject with out any more overhead
{of looking up mail-froms mx's spf rhdnsbl etc}
but in the case of a known false negative result {say incompetent ISP}, the receiver can learn of it and whitlist this ip against helo spf checks

then later the mfrom spf checks are done
like now in spfv1 allow mfrom through macros and redirects to succeed/fail based on helo value
{but if the spf record doesn't reference the helo value directly it dosn't effect the result of the mfrom-spf-check}

then {for those receivers who reject nothing} have a standard header reporting the HELO-spf status FAIL/PASS/NONE/PE/TE
and the mfrom-spf-status of FAIL/PASS/SOFTFAIL/NEUTRAL/NONE/PE/TE

but as never should the helo success/pass result be dependant on anything but its ip
my server name doesn't become a forgery just because an unexpected envelope-sender appears on the email
conversely a forgery of my server name doesn't become legit because an envelope-senders SPF

>--
> Stuart D. Gathman <stuart [at] bmsi>
> Business Management Systems Inc. Phone: 703 591-0911 Fax: 703 591-6154
>"Confutatis maledictis, flammis acribus addictis" - background song for
>a Microsoft sponsored "Where do you want to go from here?" commercial.
>
>
>-------------------------------------------
>Sender Policy Framework: http://www.openspf.org [http://www.openspf.org]
>Modify Your Subscription: http://www.listbox.com/member/ [http://www.listbox.com/member/]
>
>Archives: https://www.listbox.com/member/archive/735/=now
>RSS Feed: https://www.listbox.com/member/archive/rss/735/
>Powered by Listbox: http://www.listbox.com

-------------------------------------------
Sender Policy Framework: http://www.openspf.org [http://www.openspf.org]
Modify Your Subscription: http://www.listbox.com/member/ [http://www.listbox.com/member/]

Archives: https://www.listbox.com/member/archive/735/=now
RSS Feed: https://www.listbox.com/member/archive/rss/735/
Powered by Listbox: http://www.listbox.com

stuart at bmsi

Jan 13, 2010, 9:43 PM

Post #6 of 20 (3260 views)
Permalink

Re: Resolving MFROM/HELO conflicts [In reply to]

On Thu, 14 Jan 2010, alan wrote:

> but as never should the helo success/pass result be dependant on anything but
> its ip my server name doesn't become a forgery just because an unexpected
> envelope-sender appears on the email conversely a forgery of my server name
> doesn't become legit because an envelope-senders SPF

A good point. Which leads back to receiver policy as to whether to reject
for either/both.

Rejecting on HELO fail has caused the most ire. One of my clients lost
a customer because that customer was sending mail with HELO fail,
and got mad when their email was rejected (used a CNAME):

mail.incompetent.com IN CNAME incompetent.com.
incompetent.com IN TXT "v=spf1 a mx -all"
incompetent.com IN A 1.2.3.4

And of course, the IP of the MTA using mail.incompetent.com is not 1.2.3.4 or
any of the mxes.

--
Stuart D. Gathman <stuart [at] bmsi>
Business Management Systems Inc. Phone: 703 591-0911 Fax: 703 591-6154
"Confutatis maledictis, flammis acribus addictis" - background song for
a Microsoft sponsored "Where do you want to go from here?" commercial.

-------------------------------------------
Sender Policy Framework: http://www.openspf.org [http://www.openspf.org]
Modify Your Subscription: http://www.listbox.com/member/ [http://www.listbox.com/member/]

Archives: https://www.listbox.com/member/archive/735/=now
RSS Feed: https://www.listbox.com/member/archive/rss/735/
Powered by Listbox: http://www.listbox.com

spfdiscuss at alandoherty

Jan 14, 2010, 1:05 AM

Post #7 of 20 (3260 views)
Permalink

Re: Resolving MFROM/HELO conflicts [In reply to]

At 05:43 14/01/2010 Thursday, Stuart D. Gathman wrote:
>On Thu, 14 Jan 2010, alan wrote:
>
>> but as never should the helo success/pass result be dependant on anything but
>> its ip my server name doesn't become a forgery just because an unexpected
>> envelope-sender appears on the email conversely a forgery of my server name
>> doesn't become legit because an envelope-senders SPF
>
>A good point. Which leads back to receiver policy as to whether to reject
>for either/both.

well I'd advise recommending receivers test both separately with separate utilities or separate calls to the one utility

ie spf3test-client --helo $helo-id $connecting-ip
outputs pass/fail/none/permerror/temperr as errorlevel and suitable header on stdout

then later in the smtp transaction
test the mfrom with
spf3test-client --mfrom $mfrom-id $connecting-ip $helo-id

{at this stage the helo spf should not be consulted at all, it is there purely for use by the %{h} macro if used in the mfrom spf record}

>Rejecting on HELO fail has caused the most ire. One of my clients lost
>a customer because that customer was sending mail with HELO fail,
>and got mad when their email was rejected (used a CNAME):
>
>mail.incompetent.com IN CNAME incompetent.com.
>incompetent.com IN TXT "v=spf1 a mx -all"
>incompetent.com IN A 1.2.3.4
>
>And of course, the IP of the MTA using mail.incompetent.com is not 1.2.3.4 or
>any of the mxes.

well heloing as a cname would cause a fail before SPF checks even happen for most

as although the rfc's {stupidly IMNHO} don't demand that your helo properly points to your connecting ip
they do at least demand the helo has an A {not a cname} {unfortunatly any A will do}

{I personally only accept a helo that dosn't resolve to the ip connected if they have an SPF or CSV to validate that its non-forged}
any mis-configured senders usually appreciate the heads-up as to why their sending reputation is mud, and if they are multi homed and have a sloppy dns provider that cannot mount all their ips {some gui's only allow one ip per A} they just add an spf record for their helo to fix while shopping for a professional DNS hoster

my users though do often allow all kinds of helo sloppy ness {their email-their choice} but they do get each error/violation enumerated in the visible headers on each email {this has been enough embarrassment to have senders fix up their systems or contact me for help}

the fact that many are listed under X-AD-RPFS-DUMB-[0-3]: headers depending on level of stupidity http://www.alandoherty.net/mailsystem/mail-tagging/

but also i would say that a helo if cname shouldn't be followed by SPF clients they should give {permfail}
as a helo having a cname would be a violation of RFC

>--
> Stuart D. Gathman <stuart [at] bmsi>
> Business Management Systems Inc. Phone: 703 591-0911 Fax: 703 591-6154
>"Confutatis maledictis, flammis acribus addictis" - background song for
>a Microsoft sponsored "Where do you want to go from here?" commercial.
>
>
>-------------------------------------------
>Sender Policy Framework: http://www.openspf.org [http://www.openspf.org]
>Modify Your Subscription: http://www.listbox.com/member/ [http://www.listbox.com/member/]
>
>Archives: https://www.listbox.com/member/archive/735/=now
>RSS Feed: https://www.listbox.com/member/archive/rss/735/
>Powered by Listbox: http://www.listbox.com

-------------------------------------------
Sender Policy Framework: http://www.openspf.org [http://www.openspf.org]
Modify Your Subscription: http://www.listbox.com/member/ [http://www.listbox.com/member/]

Archives: https://www.listbox.com/member/archive/735/=now
RSS Feed: https://www.listbox.com/member/archive/rss/735/
Powered by Listbox: http://www.listbox.com

vesely at tana

Jan 14, 2010, 4:30 AM

Post #8 of 20 (3260 views)
Permalink

Re: Resolving MFROM/HELO conflicts [In reply to]

David MacQuigg wrote:
> Stuart D. Gathman wrote:
>> Here is a little nit that wasn't addressed in RFC4408. If HELO SPF
>> says to reject, but SPF for MAIL FROM says Pass, which takes
>> precedence? For spfv1, I think we are stuck with "receiver policy"
>> (especially since checking HELO is optional). Should we specify a
>> precedence for spfv3?
>> Make HELO check a MUST? Or keep HELO optional, but give precedence to
>> MFROM?
>
> The HELO check should be mandatory, and should take precedence over the
> MFROM check. There is no "forwarding problem" (or any other excuse for
> failure) with the HELO check. Furthermore, all the "bells and whistles"
> in an SPF record should not apply to the HELO check. It should be a
> simple Pass/Fail, with an immediate SMTP REJECT on Fail.

We had already talked with John Klensin about this subject and
concluded that it is hardly practicable because of brain damaged
clients out there who don't even know their IP address. John suggested
to use a different verb, VHLO, for clients who wish to undergo such a
severe scrutiny. A "pass" would then result in some sort of
whitelisting. I've detailed the finish for this line of thought in
http://tools.ietf.org/html/draft-vesely-vhlo

IMHO, in spfv3, we can drop the whole idea of HELO-checking, because
backscattering has been substantially reduced in the mean time, while
SPF records for host names have never flown.

-------------------------------------------
Sender Policy Framework: http://www.openspf.org [http://www.openspf.org]
Modify Your Subscription: http://www.listbox.com/member/ [http://www.listbox.com/member/]

Archives: https://www.listbox.com/member/archive/735/=now
RSS Feed: https://www.listbox.com/member/archive/rss/735/
Powered by Listbox: http://www.listbox.com

spfdiscuss at alandoherty

Jan 14, 2010, 8:37 AM

Post #9 of 20 (3263 views)
Permalink

Re: Resolving MFROM/HELO conflicts [In reply to]

At 12:30 14/01/2010 Thursday, Alessandro Vesely wrote:
>David MacQuigg wrote:
>>Stuart D. Gathman wrote:
>>>Here is a little nit that wasn't addressed in RFC4408. If HELO SPF says to reject, but SPF for MAIL FROM says Pass, which takes precedence? For spfv1, I think we are stuck with "receiver policy" (especially since checking HELO is optional). Should we specify a precedence for spfv3?
>>>Make HELO check a MUST? Or keep HELO optional, but give precedence to MFROM?
>>
>>The HELO check should be mandatory, and should take precedence over the MFROM check. There is no "forwarding problem" (or any other excuse for failure) with the HELO check. Furthermore, all the "bells and whistles" in an SPF record should not apply to the HELO check. It should be a simple Pass/Fail, with an immediate SMTP REJECT on Fail.
>
>We had already talked with John Klensin about this subject and concluded that it is hardly practicable because of brain damaged clients out there who don't even know their IP address. John suggested to use a different verb, VHLO, for clients who wish to undergo such a severe scrutiny. A "pass" would then result in some sort of whitelisting. I've detailed the finish for this line of thought in http://tools.ietf.org/html/draft-vesely-vhlo
>
>IMHO, in spfv3, we can drop the whole idea of HELO-checking, because backscattering has been substantially reduced in the mean time, while SPF records for host names have never flown.

I disagree on the spf for host names front, spf's largest utility with zero potential for false positives is in host domains that never legitimately transmit mail.

it prevents all forgery of receive only, and never used domain address',
and through receiver side policies that favor full spf adopting domains, over domains only using spf for their sending domains and not limiting the forgery of non-sending domains, I believe strongly that more domains will move toward spf blacklisting their non sending hosts, and this move alone will force others to do likewise due to 'peer pressure' as their reputation in receivers eyes lowers due to others rising

separating helo and mfrom scope into two essentially separate records
would simplify this for implementors of spf as instead of kludges to allow helo only with macros/redirects {such as mine for bigsvr.alandoherty.net

as then we could simply have
v=spf3/mfrom -all
v=spf3/helo -all
on all non externally mailing hostnames/domains
and
v=spf3/mfrom -all
v=spf3/helo a -all
on all helo identity domains
and
v=spf3/helo -all
v=spf3/mfrom ..........all
on all domains used in sending envelopes

vhlo or anything similar could not be used by anyone {no matter how well administered their servers} without a new MTA becoming available and it being widely adopted

spf /senderid/spf3 dkim csv and others succeed purely due to them being possible to implement externally to the mta's via milters librarys plugins {and then eventually offered natively in closed box mailservers}

for spf3 to implement scopes we just need to recommend that receivers do a helo pass {on the helo}
then a mfrom pass {on the mfrom}

as no one can force them they can always decide to not do the helo pass {if say the api available cannot for example}

additionally we just need to recommend all domains have both scopes defined for the spfv3 to be syntactically valid
and recommend defining an spfv3 for all used/unused hostnames also

if they don't bother adding an spfv3 to their helo domain, they will not suffer rejection,
any more than sending via an external ISP that dosn't use SPF at all. except in receiver side reputation
{this alone will make it worthwhile given time}

I know many domains still add both CSV & spf and ptr-of xxx.mxout.xxx.xxx for this reason, as it adds to your positive rep if seen and understood to be an attempt to distinguish your mta as well administered and not ratware on a trojaned server.

for this reason alone many + your reputation for adding spf for non-helo non-sender domains

if you helo as hhh.[xxx.]domain.tld have fqrds of yyy.[zzz.]domain.tld and helo passes spf and ptr fails that gets you maximum possible spf reputation points here
{having helo resolve to connecting ip, having a csv-pass, having dnswl.org record listing can add further of course but not as much in one protocol}

{as it shows your MTA is authorised to run on that host, and that you have made best efforts to block trojans/ratware on the same host/ip (as they can only easily determine their own ptr id) }

-------------------------------------------
Sender Policy Framework: http://www.openspf.org [http://www.openspf.org]
Modify Your Subscription: http://www.listbox.com/member/ [http://www.listbox.com/member/]

Archives: https://www.listbox.com/member/archive/735/=now
RSS Feed: https://www.listbox.com/member/archive/rss/735/
Powered by Listbox: http://www.listbox.com

spfdiscuss at caution

Jan 14, 2010, 12:52 PM

Post #10 of 20 (3260 views)
Permalink

Re: Resolving MFROM/HELO conflicts [In reply to]

>David MacQuigg wrote:
>> Stuart D. Gathman wrote:
>>> Here is a little nit that wasn't addressed in RFC4408. If HELO SPF says to reject, but SPF for MAIL FROM says Pass, which takes precedence? For spfv1, I think we are stuck with "receiver policy" (especially since checking HELO is optional). Should we specify a precedence for spfv3?
>>> Make HELO check a MUST? Or keep HELO optional, but give precedence to MFROM?
>>
>> The HELO check should be mandatory, and should take precedence over the MFROM check. There is no "forwarding problem" (or any other excuse for failure) with the HELO check. Furthermore, all the "bells and whistles" in an SPF record should not apply to the HELO check. It should be a simple Pass/Fail, with an immediate SMTP REJECT on Fail.
>
>We had already talked with John Klensin about this subject and concluded that it is hardly practicable because of brain damaged clients out there who don't even know their IP address. John suggested to use a different verb, VHLO, for clients who wish to undergo such a severe scrutiny. A "pass" would then result in some sort of whitelisting. I've detailed the finish for this line of thought in http://tools.ietf.org/html/draft-vesely-vhlo
>
>IMHO, in spfv3, we can drop the whole idea of HELO-checking, because backscattering has been substantially reduced in the mean time, while SPF records for host names have never flown.
>

FWIW - I find that over time, (non-spammer) mailservers
that do not issue a reasonable HELO/EHLO are increasingly rare.

On the one hand, CNAME for HELO is all too common (and accepted - wrong
though it may be), but HELO that does not resolve, or does not have
port 25 open on the resolved IP is more and more commonly the reason
for mail from that server being rejected.

As a result, SPF on host names, and a requirement that HELO be "OK"
is more and more palatable as a standard.

For my mailserver, which I admit is relatively small, I see several
thousand incoming unique hosts each day, and filter quite successfully on
a series of filters based on HELO. I can count on one hand the number of
complaints of "false positives" with this technique in the last
5 years.

YMMV.

-dgl-

-------------------------------------------
Sender Policy Framework: http://www.openspf.org [http://www.openspf.org]
Modify Your Subscription: http://www.listbox.com/member/ [http://www.listbox.com/member/]

Archives: https://www.listbox.com/member/archive/735/=now
RSS Feed: https://www.listbox.com/member/archive/rss/735/
Powered by Listbox: http://www.listbox.com

macquigg at ece

Jan 14, 2010, 2:07 PM

Post #11 of 20 (3266 views)
Permalink

Re: Resolving MFROM/HELO conflicts [In reply to]

Don Lee wrote:
>> David MacQuigg wrote:
>>
>>> Stuart D. Gathman wrote:
>>>
>>>> Here is a little nit that wasn't addressed in RFC4408. If HELO SPF says to reject, but SPF for MAIL FROM says Pass, which takes precedence? For spfv1, I think we are stuck with "receiver policy" (especially since checking HELO is optional). Should we specify a precedence for spfv3?
>>>> Make HELO check a MUST? Or keep HELO optional, but give precedence to MFROM?
>>>>
>>> The HELO check should be mandatory, and should take precedence over the MFROM check. There is no "forwarding problem" (or any other excuse for failure) with the HELO check. Furthermore, all the "bells and whistles" in an SPF record should not apply to the HELO check. It should be a simple Pass/Fail, with an immediate SMTP REJECT on Fail.
>>>
>> We had already talked with John Klensin about this subject and concluded that it is hardly practicable because of brain damaged clients out there who don't even know their IP address. John suggested to use a different verb, VHLO, for clients who wish to undergo such a severe scrutiny. A "pass" would then result in some sort of whitelisting. I've detailed the finish for this line of thought in http://tools.ietf.org/html/draft-vesely-vhlo
>>
>> IMHO, in spfv3, we can drop the whole idea of HELO-checking, because backscattering has been substantially reduced in the mean time, while SPF records for host names have never flown.
>>
>
> FWIW - I find that over time, (non-spammer) mailservers
> that do not issue a reasonable HELO/EHLO are increasingly rare.
>
> On the one hand, CNAME for HELO is all too common (and accepted - wrong
> though it may be), but HELO that does not resolve, or does not have
> port 25 open on the resolved IP is more and more commonly the reason
> for mail from that server being rejected.
>
> As a result, SPF on host names, and a requirement that HELO be "OK"
> is more and more palatable as a standard.
>
> For my mailserver, which I admit is relatively small, I see several
> thousand incoming unique hosts each day, and filter quite successfully on
> a series of filters based on HELO. I can count on one hand the number of
> complaints of "false positives" with this technique in the last
> 5 years.
>

We avoid the "false positive" (false reject) problem by not rejecting if
we are not sure. Our HELO check is basically a bypass for reputable
domains to avoid the spam filters. It is not intended to catch the bad
guys (although it will if they are stupid enough to use a HELO name that
is protected from forgery).

As for "brain damaged clients" we have a web page that explains in
simple terms how to fix their HELO name. My experience in using this
system over the last two years is that small domains are cooperative
(sure, whatever will help our mail delivery), and only a few large
domains are a problem (nobody tells *us* what to do!). We have default
records for these large domains, using their entire IP allocation (still
a small fraction of the entire zombie space). I haven't seen it happen
yet, but if they do get some zombies inside their IP allocation and
using their HELO name, I expect they will move quickly to correct their
record (it's easier than calling their lawyer).

The important thing in getting sender cooperation is to not ask too
much, and make sure the benefit exceeds the cost. Asking them to
install special software is too much. Asking them to change DNS
providers (so they can publish special SRV records) is too much. Asking
them to add "-all" to their SPF records is too much. Asking them to
simply correct our best guess as to their transmitter addresses is not
too much. It only takes a few minutes, and it will eliminate the
zombies entirely, restore their reputation, and avoid the quarantine.

-- Dave

-------------------------------------------
Sender Policy Framework: http://www.openspf.org [http://www.openspf.org]
Modify Your Subscription: http://www.listbox.com/member/ [http://www.listbox.com/member/]

Archives: https://www.listbox.com/member/archive/735/=now
RSS Feed: https://www.listbox.com/member/archive/rss/735/
Powered by Listbox: http://www.listbox.com

iane at sussex

Jan 15, 2010, 2:58 AM

Post #12 of 20 (3259 views)
Permalink

Re: Resolving MFROM/HELO conflicts [In reply to]

--On 14 January 2010 14:52:40 -0600 Don Lee
<spfdiscuss [at] caution> wrote:

>
> On the one hand, CNAME for HELO is all too common (and accepted - wrong
> though it may be), but HELO that does not resolve, or does not have
> port 25 open on the resolved IP is more and more commonly the reason
> for mail from that server being rejected.

There's no reason that my sending mail server should have port 25 open.
Many sites separate their outbound and inbound servers. Sender
verifications rely on MX records, which could point anywhere.

--
Ian Eiloart
IT Services, University of Sussex
01273-873148 x3148
For new support requests, see http://www.sussex.ac.uk/its/help/

-------------------------------------------
Sender Policy Framework: http://www.openspf.org [http://www.openspf.org]
Modify Your Subscription: http://www.listbox.com/member/ [http://www.listbox.com/member/]

Archives: https://www.listbox.com/member/archive/735/=now
RSS Feed: https://www.listbox.com/member/archive/rss/735/
Powered by Listbox: http://www.listbox.com

spfdiscuss at alandoherty

Jan 15, 2010, 4:36 AM

Post #13 of 20 (3253 views)
Permalink

Re: Resolving MFROM/HELO conflicts [In reply to]

At 10:58 15/01/2010 Friday, Ian Eiloart wrote:

>--On 14 January 2010 14:52:40 -0600 Don Lee <spfdiscuss [at] caution> wrote:
>
>>
>>On the one hand, CNAME for HELO is all too common (and accepted - wrong
>>though it may be), but HELO that does not resolve, or does not have
>>port 25 open on the resolved IP is more and more commonly the reason
>>for mail from that server being rejected.
>
>There's no reason that my sending mail server should have port 25 open. Many sites separate their outbound and inbound servers. Sender verifications rely on MX records, which could point anywhere.

I agree most large providers would be the
MX is totally unrelated to legit HELO clients
port 25 is only related to MX, thus totally unrelated to HELO clients

legit HELO clients are only required by absolutely extreme best practices to

A HELO as a name that is resolvable by A to its connecting from ip #counter forgery
B have a PTR > PTRNAME > IP, FQRDNS #traceability of owner
C have an SPF for HELO that authorises its connecting ips #counter forgery if present A unnecessary, as this provides
#proof of A, and intent to use this domain for HELO
D CSV for HELO if possible #counter forgery equivalent to C
E PTRNAME in the same domain as HELO #proof that traceable owner is person operating sending software
#anti malware/trojan
F PTRNAME != HELO #proof that sending software is not just malware using its FQRDNS
#as otherwise A+C/D+E proves nothing about this connection
#just that the IP does also originate mail
G PTRNAME using .mxout. #tiny extra points for trying to please everyone

even in this draconian {but easy to implement on any existing setup}
list of requirements doesn't tie MX to HELO
or require port 25 open on senders
{as no one should}

-------------------------------------------
Sender Policy Framework: http://www.openspf.org [http://www.openspf.org]
Modify Your Subscription: http://www.listbox.com/member/ [http://www.listbox.com/member/]

Archives: https://www.listbox.com/member/archive/735/=now
RSS Feed: https://www.listbox.com/member/archive/rss/735/
Powered by Listbox: http://www.listbox.com

iane at sussex

Jan 15, 2010, 7:14 AM

Post #14 of 20 (3262 views)
Permalink

Re: Resolving MFROM/HELO conflicts [In reply to]

--On 15 January 2010 12:36:06 +0000 alan <spfdiscuss [at] alandoherty> wrote:

> F PTRNAME != HELO #proof
> that sending software is not just malware using its FQRDNS

Er, but isn't HELO = PTRNAME required by section 4.1.4 of RFC5321?

--
Ian Eiloart
IT Services, University of Sussex
01273-873148 x3148
For new support requests, see http://www.sussex.ac.uk/its/help/

-------------------------------------------
Sender Policy Framework: http://www.openspf.org [http://www.openspf.org]
Modify Your Subscription: http://www.listbox.com/member/ [http://www.listbox.com/member/]

Archives: https://www.listbox.com/member/archive/735/=now
RSS Feed: https://www.listbox.com/member/archive/rss/735/
Powered by Listbox: http://www.listbox.com

spfdiscuss at caution

Jan 15, 2010, 1:15 PM

Post #15 of 20 (3259 views)
Permalink

Re: Resolving MFROM/HELO conflicts [In reply to]

>--On 14 January 2010 14:52:40 -0600 Don Lee <spfdiscuss [at] caution> wrote:
>
>>
>> On the one hand, CNAME for HELO is all too common (and accepted - wrong
>> though it may be), but HELO that does not resolve, or does not have
>> port 25 open on the resolved IP is more and more commonly the reason
>> for mail from that server being rejected.
>
>There's no reason that my sending mail server should have port 25 open. Many sites separate their outbound and inbound servers. Sender verifications rely on MX records, which could point anywhere.
>

Quite right, but that's not my point.

My point is that legit mailservers have substantial incentive to
use something reasonable for HELO. Random junk for HELO _will_ cause
e-mail delivery problems to various servers that require one or
more of the "non-required" HELO tests.

For instance, there are servers out there that only accept mail if
HELO resolves to a server with port 25 open AND accepts mail to the
MFROM address.

That's not kosher, but it's not that uncommon (esp in Europe)

If they can get away with all those hoops, then I can require that the
HELO at least resolve.

Bottom line - I do not hesitate to require reasonable HELO values,
because unreasonable ones from legit servers are so very rare.

-dgl-

-------------------------------------------
Sender Policy Framework: http://www.openspf.org [http://www.openspf.org]
Modify Your Subscription: http://www.listbox.com/member/ [http://www.listbox.com/member/]

Archives: https://www.listbox.com/member/archive/735/=now
RSS Feed: https://www.listbox.com/member/archive/rss/735/
Powered by Listbox: http://www.listbox.com

stuart at bmsi

Jan 15, 2010, 2:23 PM

Post #16 of 20 (3259 views)
Permalink

Re: Resolving MFROM/HELO conflicts [In reply to]

On Fri, 15 Jan 2010, Don Lee wrote:

> If they can get away with all those hoops, then I can require that the
> HELO at least resolve.
>
> Bottom line - I do not hesitate to require reasonable HELO values,
> because unreasonable ones from legit servers are so very rare.

Unfortunately, all the bozos with bogus HELO are my clients potential
customers, and when my client rejects their bogus HELO, they take their
business elsewhere. Sigh.

--
Stuart D. Gathman <stuart [at] bmsi>
Business Management Systems Inc. Phone: 703 591-0911 Fax: 703 591-6154
"Confutatis maledictis, flammis acribus addictis" - background song for
a Microsoft sponsored "Where do you want to go from here?" commercial.

-------------------------------------------
Sender Policy Framework: http://www.openspf.org [http://www.openspf.org]
Modify Your Subscription: http://www.listbox.com/member/ [http://www.listbox.com/member/]

Archives: https://www.listbox.com/member/archive/735/=now
RSS Feed: https://www.listbox.com/member/archive/rss/735/
Powered by Listbox: http://www.listbox.com

spfdiscuss at alandoherty

Jan 15, 2010, 8:36 PM

Post #17 of 20 (3263 views)
Permalink

Re: Resolving MFROM/HELO conflicts [In reply to]

At 15:14 15/01/2010 Friday, Ian Eiloart wrote:

>--On 15 January 2010 12:36:06 +0000 alan <spfdiscuss [at] alandoherty> wrote:
>
>>F PTRNAME != HELO #proof
>>that sending software is not just malware using its FQRDNS
>
>Er, but isn't HELO = PTRNAME required by section 4.1.4 of RFC5321?

i see no mention of ptr-name anywhere in the doc but if you mean this

"The SMTP client MUST, if possible, ensure that the domain parameter
to the EHLO command is a primary host name as specified for this
command in Section 2.3.5. If this is not possible (e.g., when the
client's address is dynamically assigned and the client does not have
an obvious name), an address literal SHOULD be substituted for the
domain name."

as defined in 2.3.5 "primary host name" == a FQDN with an A record
as opposed to a partial name, or a "secondary host name" FQDN with a CNAME that points to a primary

unfortunately people mixing up FQRDN and FQDN is also common
a host ip can have multiple primary names
secondary {and teritary etc} are just CNAMES

any mail hosts IP in my control has usually at least these 6 primary names

ptr-name obvious use, to match the PTR and verify organization identity that owns IP
client-helo-name for outbound to others port 25
mx-tls-cert-name the one the domains mx records point to accepts inbound connections on port 25 and matches tls cert
submission-port-tls-cert-name the name clients connecting to port 587 use and matches the tls cert there
pop3-port-name just so moving to a server-per-role setup later means no re configuring clients
host-name-in-os used by me to ssh to the right box regardless of which service is running where today :)

as usually all the ip's for the above stuff are HA spread across several physical servers

you can always read http://www.alandoherty.net/info/mailservers/
for further BUP stuff {best Uncommon Practices}

>--
>Ian Eiloart
>IT Services, University of Sussex
>01273-873148 x3148
>For new support requests, see http://www.sussex.ac.uk/its/help/
>
>
>-------------------------------------------
>Sender Policy Framework: http://www.openspf.org [http://www.openspf.org]
>Modify Your Subscription: http://www.listbox.com/member/ [http://www.listbox.com/member/]
>
>Archives: https://www.listbox.com/member/archive/735/=now
>RSS Feed: https://www.listbox.com/member/archive/rss/735/
>Powered by Listbox: http://www.listbox.com

-------------------------------------------
Sender Policy Framework: http://www.openspf.org [http://www.openspf.org]
Modify Your Subscription: http://www.listbox.com/member/ [http://www.listbox.com/member/]

Archives: https://www.listbox.com/member/archive/735/=now
RSS Feed: https://www.listbox.com/member/archive/rss/735/
Powered by Listbox: http://www.listbox.com

spfdiscuss at alandoherty

Jan 15, 2010, 9:02 PM

Post #18 of 20 (3260 views)
Permalink

Re: Resolving MFROM/HELO conflicts [In reply to]

At 22:23 15/01/2010 Friday, Stuart D. Gathman wrote:
>On Fri, 15 Jan 2010, Don Lee wrote:
>
>> If they can get away with all those hoops, then I can require that the
>> HELO at least resolve.
>>
>> Bottom line - I do not hesitate to require reasonable HELO values,
>> because unreasonable ones from legit servers are so very rare.
>
>Unfortunately, all the bozos with bogus HELO are my clients potential
>customers, and when my client rejects their bogus HELO, they take their
>business elsewhere. Sigh.

your client can obviously choose not to reject on spf helo fail
and all the other {helo as localhost} type dumb errors if they want
[their server their rules is the MAXIM]

{I personally look on it as an opportunity to highlight/help them fix the issue thus the reject message gives them the url filled with the why/how info for what they are doing wrong and how to fix along with my number etc. if needing free support.
As if they need help delivering to my customers it is a customer support issue as long as the caller is sending solicited mail}

its no reason to not empower the rest of us to drop invalid helo's
and have methods {like spf} to advise others which of our domains to never accept within helo
{like i have v=spf1 -all on all my PTR-NAME WWW NS POP3 RSYNC MX SUBMISSION host names to restrict bot output if it ever happens}
i only have otherwise on MFROM and HELO-client domains {and the HELO ones a doozy to ensure it only allows postmaster [at] hel due to the cruddy way spf1 mixed both roles together}
{as well as self listing all but mailservers in PBL.spamhaus etc}

-------------------------------------------
Sender Policy Framework: http://www.openspf.org [http://www.openspf.org]
Modify Your Subscription: http://www.listbox.com/member/ [http://www.listbox.com/member/]

Archives: https://www.listbox.com/member/archive/735/=now
RSS Feed: https://www.listbox.com/member/archive/rss/735/
Powered by Listbox: http://www.listbox.com

stuart at bmsi

Jan 15, 2010, 11:10 PM

Post #19 of 20 (3256 views)
Permalink

Re: Resolving MFROM/HELO conflicts [In reply to]

On Sat, 16 Jan 2010, alan wrote:

> At 22:23 15/01/2010 Friday, Stuart D. Gathman wrote:
> >> Bottom line - I do not hesitate to require reasonable HELO values,
> >> because unreasonable ones from legit servers are so very rare.
> >
> >Unfortunately, all the bozos with bogus HELO are my clients potential
> >customers, and when my client rejects their bogus HELO, they take their
> >business elsewhere. Sigh.
>
> your client can obviously choose not to reject on spf helo fail
> and all the other {helo as localhost} type dumb errors if they want
> [their server their rules is the MAXIM]
>
> {I personally look on it as an opportunity to highlight/help them fix the
> issue thus the reject message gives them the url filled with the why/how info
> for what they are doing wrong and how to fix along with my number etc. if
> needing free support.

The bozos who use bogus HELO never ever look at the reject message. The
ones that call for help instead of taking their business elsewhere
describe the problem as "my email is bouncing". Often, there is not
actually a problem, and they just received a delay DSN.

Here is one helpful hint, that I recently discovered, however.
Messages in LARGE TYPE, CAPS and other obvious attempts to draw attention
are completely ignored by end users. However, they almost always read,
and (amazingly) *memorize* anything in especially tiny type near the
end of an HTML page. So put any bottom line important information
that end users need to see in 6 point type at the end of the page.
I also leave it in H1 style at the top for the occasional more rational
reader.

--
Stuart D. Gathman <stuart [at] bmsi>
Business Management Systems Inc. Phone: 703 591-0911 Fax: 703 591-6154
"Confutatis maledictis, flammis acribus addictis" - background song for
a Microsoft sponsored "Where do you want to go from here?" commercial.

-------------------------------------------
Sender Policy Framework: http://www.openspf.org [http://www.openspf.org]
Modify Your Subscription: http://www.listbox.com/member/ [http://www.listbox.com/member/]

Archives: https://www.listbox.com/member/archive/735/=now
RSS Feed: https://www.listbox.com/member/archive/rss/735/
Powered by Listbox: http://www.listbox.com

iane at sussex

Jan 18, 2010, 3:03 AM

Post #20 of 20 (3241 views)
Permalink

Re: Resolving MFROM/HELO conflicts [In reply to]

--On 15 January 2010 15:15:42 -0600 Don Lee
<spfdiscuss [at] caution> wrote:

>> --On 14 January 2010 14:52:40 -0600 Don Lee
>> <spfdiscuss [at] caution> wrote:
>>
>>>
>>> On the one hand, CNAME for HELO is all too common (and accepted - wrong
>>> though it may be), but HELO that does not resolve, or does not have
>>> port 25 open on the resolved IP is more and more commonly the reason
>>> for mail from that server being rejected.
>>
>> There's no reason that my sending mail server should have port 25 open.
>> Many sites separate their outbound and inbound servers. Sender
>> verifications rely on MX records, which could point anywhere.
>>
>
> Quite right, but that's not my point.
>
> My point is that legit mailservers have substantial incentive to
> use something reasonable for HELO. Random junk for HELO _will_ cause
> e-mail delivery problems to various servers that require one or
> more of the "non-required" HELO tests.
>
> For instance, there are servers out there that only accept mail if
> HELO resolves to a server with port 25 open AND accepts mail to the
> MFROM address.
>
> That's not kosher, but it's not that uncommon (esp in Europe)

They won't be getting mail from us then. I've never had a complaint about
this, though.

> If they can get away with all those hoops, then I can require that the
> HELO at least resolve.

Yep. No reason not to do that.

> Bottom line - I do not hesitate to require reasonable HELO values,
> because unreasonable ones from legit servers are so very rare.

Fair enough.

> -dgl-
>
>
> -------------------------------------------
> Sender Policy Framework: http://www.openspf.org [http://www.openspf.org]
> Modify Your Subscription: http://www.listbox.com/member/
> [http://www.listbox.com/member/]
>
> Archives: https://www.listbox.com/member/archive/735/=now
> RSS Feed: https://www.listbox.com/member/archive/rss/735/
> Powered by Listbox: http://www.listbox.com

--
Ian Eiloart
IT Services, University of Sussex
01273-873148 x3148
For new support requests, see http://www.sussex.ac.uk/its/help/

-------------------------------------------
Sender Policy Framework: http://www.openspf.org [http://www.openspf.org]
Modify Your Subscription: http://www.listbox.com/member/ [http://www.listbox.com/member/]

Archives: https://www.listbox.com/member/archive/735/=now
RSS Feed: https://www.listbox.com/member/archive/rss/735/
Powered by Listbox: http://www.listbox.com

Index | Next | Previous | View Threaded

Interested in having your list archived? Contact Gossamer Threads