Re: Possible SPF machine-domain loophole???
On Sun, 2004-02-29 at 17:55, list+spf-discuss@... wrote:
> --On Sonntag, Februar 29, 2004 16:08:42 -0500 Theo Schlossnagle
> <jesus@...> wrote:
> > Maybe someone can explain to me why this is an issue at all. If we are
> > in here mucking with the MTA anyway (for SPF) why don't we just mandate
> > that the MTA does away with putting the domain in the Received header
> > like that.
> Because RFC2821 states the exact opposite:
> - The FROM field, which MUST be supplied in an SMTP environment,
> SHOULD contain both (1) the name of the source host as presented
> in the EHLO command and (2) an address literal containing the IP
> address of the source, determined from the TCP connection.
Note that you MUST supply the FROM field, however it SHOULD contain both
the ehlo string and the address. RFC 2119 section 3 states:
"3. SHOULD This word, or the adjective "RECOMMENDED", mean that there
may exist valid reasons in particular circumstances to ignore a
particular item, but the full implications must be understood and
carefully weighed before choosing a different course."
Not being able to intelligently determine that the string passed via
ehlo and the address that is connecting are in fact related sounds like
a fairly valid reason in this circumstance to not include the ehlo
string to me. So what we really need to determine is whether or not
leaving that information out will have consequences other than
uneducated users no longer misinterpreting the header. We should not
reject the idea entirely because precedent has always been to include