| Subject: | Documentation Error on Processing null Mail From |
| Date: | Fri, 23 Jan 2015 17:57:03 -0500 |
| To: | bug-Mail-SPF [...] rt.cpan.org |
| From: | Scott Kitterman <scott [...] kitterman.com> |
In lib/Mail/SPF/Request.pm, there is:
I<Note>: In the case of an empty C<MAIL FROM> SMTP transaction parameter (C<<
MAIL FROM:<> >>), you should perform a check with the C<helo> scope instead.
This is not quite correct.
See section 2.2 of RFC 4408. It says:
[RFC2821] allows the reverse-path to be null (see Section 4.5.5 in
RFC 2821). In this case, there is no explicit sender mailbox, and
such a message can be assumed to be a notification message from the
mail system itself. When the reverse-path is null, this document
defines the "MAIL FROM" identity to be the mailbox composed of the
localpart "postmaster" and the "HELO" identity (which may or may not
have been checked separately before).
Instead of performing a check with the <helo> scope, it is more correct to
create a synthetic mfrom (i.e. postmaster@helo) and check that identity using
the mfrom scope.
While the raw SPF result will, except in the case of macros, be the same,
applications which process SPF results treat HELO and mfrom results
differently, so it is important that the null mfrom check be correctly
identified as an mfrom check.
The updated SPF RFC, RFC 7208, has very similar language in section 2.4:
[RFC5321] allows the reverse-path to be null (see Section 4.5.5 in
[RFC5321]). In this case, there is no explicit sender mailbox, and
such a message can be assumed to be a notification message from the
mail system itself. When the reverse-path is null, this document
defines the "MAIL FROM" identity to be the mailbox composed of the
local-part "postmaster" and the "HELO" identity (which might or might
not have been checked separately before).
Scott K