On June 3, 2024 12:24:10 PM UTC, Richard Clayton <[email protected]> wrote:
>-----BEGIN PGP SIGNED MESSAGE-----
>Hash: SHA1
>
>In message <[email protected]>, John Levine
><[email protected]> writes
>
>>It appears that Richard Clayton <[email protected]> said:
>>>You will need to say EHLO with a domain name that aligns with the From:
>>>if you cannot manage that then DKIM is your only way to get your bounce
>>>message to have a DMARC pass
>>
>>Now that I look at it, RFC 7489 says ambiguously in section 3.1.2 that
>>the HELO can be used to "fake" (quotes in the original) a domain for
>>alignment, while the current draft says in sec 4.4.2 "DMARC relies
>>solely on SPF validation of the MAIL FROM identity."
>
>the current text is better and far more precise (though it does rely on
>the way in which RFC7208 is written)
>
>>I don't remember the origin of this change. I don't feel strongly
>>either way whether to use the HELO but I would like to be sure
>>it's deliberate.
>
>It is NOT "using the HELO identity" it is using the "MAIL FROM identity"
>which is specially defined to be something other than what is in the
>5321 MAIL command for the special case when it would otherwise be null
>
>>What do existing DMARC libraries do?
>
>for OpenDMARC, so far as I can see, the right thing
>
> ret = opendmarc_spf2_find_mailfrom_domain(ctx, mail_from_domain,
> mfrom, sizeof mfrom, used_mfrom);
> if (ret != 0 || *used_mfrom == FALSE)
> {
> (void) strlcpy(helo, helo_domain, sizeof helo);
> SPF_request_set_helo_dom(ctx->spf_request, helo);
> }
>
>Now one might observe that a bad person might proceed as follows
>
> HELO financialcompany.com
> MAIL FROM: <>
> RCPT TO: <[email protected]>
> DATA
> From: [email protected]
> Subject: click me
>
> http://verybad.example2.com
> .
> QUIT
>
>but that would just serves the financial company right for providing an
>SPF record in the first place (or not adding the syntax to say "heres an
>SPF record but ignore it")
That's no different than if the same identity was in Mail From:
HELO server.financialcompany.com
MAIL FROM: [email protected]
RCPT TO: <[email protected]>
DATA
From: [email protected]
Subject: click me
http://verybad.example2.com
.
QUIT
Either way it only passes SPF if the IP address for the connection is listed in
financialcompany.com's SPF record. The problem we've been seeing is that
people list (via include: or directly) addresses run by operators who don't
take care to prevent their customers from spoofing each other. HELO usage for
the null sender case makes that neither better nor worse.
I think that the current language is accurate, given what RFC 7208 says. I
think people who are going to misread RFC 7208 are going to misread it no
matter what we say here, so we should move on.
Scott K
_______________________________________________
dmarc mailing list -- [email protected]
To unsubscribe send an email to [email protected]
