On 24 Feb 2004 at 9:50, wayne wrote:
If we were to do strict HELO checking, many of those legitimate machines
would now begin to fail, and the false-positive rate of SPF would become
very high right away; it would be high enough that people would reject
it as too idealistic.
I think it my be useful to do SPF checking on the HELO string, and
reject the connection if the SPF check fails, but let it pass
otherwise.
That was my idea too. I have no problem with bad HELO strings from
misconfigured senders, but I have a problem when someone forges my domain
in a HELO string. So if someone says "HELO mail.baschny.de", and I have
mail.baschny.de. IN TXT "v=spf1 -all"
this would mean "this host NEVER sends emails", so it should be rejected.
If someone says "HELO baschny.de" and I have:
baschny.de. IN TXT "v=spf1 mx a -all"
the receiver can check if the IP is allowed to introduce itself as
"baschny.de" (one of the MX-servers or the A-record of baschny.de), else
it gets rejected.
This has no impact on other tests that a MTA might optionally do (reverse
and forward lookup, valid domain, etc), since those have nothing to do
with the specific "policy" for my domain.
--
Ernesto Baschny <ernst(_at_)baschny(_dot_)de>
http://www.baschny.de - PGP: http://www.baschny.de/pgp.txt
Sao Paulo/Brasil - Stuttgart/Germany
Ernst(_at_)IRCnet - ICQ# 2955403