You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@spamassassin.apache.org by bu...@bugzilla.spamassassin.org on 2007/07/19 07:53:54 UTC

[Bug 5567] Faulty SPF_HELO_FAIL processing.

http://issues.apache.org/SpamAssassin/show_bug.cgi?id=5567


spamassassin@dostech.ca changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Status|NEW                         |RESOLVED
         Resolution|                            |INVALID




------- Additional Comments From spamassassin@dostech.ca  2007-07-18 22:53 -------
(In reply to comment #0)
> A correctly configured SPF record may look like this:
> 
> example.com            "v=spf1 mx ?all"
> server1.example.com    "v=spf1 -all"
> 
> The above indicates that emails of the format user@example.com are
> valid (when originating from the MX servers for example.com), but
> emails of the format user@server1.example.com never exist. 

Not quite accurate (emails "of the format user@server1.example.com" could
exist), but sure.


> Spamassassin is incorrectly using the mail server SMTP greeting's
> host name to query SPF records for email address domains, however, in
> almost all cases, the server's host name is not an acceptable suffix
> for email addresses.

Uh, no it is not.  SA uses the mail from, found in a return-path or similar
header field value, as it should.


> In order to verify a server HELO domain via SPF - you need to
> A) look up the MX servers for the MAIL FROM domain
> B) consider only such servers as those that are authorized in the SPF
>    record for the MAIL FROM domain,
> C) and check that the HELO domain is one of those MX servers.

Uh, no.  Please quote the relevant sections of RFC 4408 that define such a method.


> Depending on whether or not the MAIL FROM domain's SPF record includes
> A or PTR or IP4/IP6 addresses - processing in step (C) may be more
> complicated.
> 
> There is no such thing as an SPF record for a mail server hostname,
> only for email address domains, thus the need for the several
> processing steps needed to do a verification.

That's not accurate at all.



------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.