spf-discuss
[Top] [All Lists]

Re: Latest proposal re HELO checking: make HELO tests optional

2004-03-11 18:42:54
----- Original Message ----- 
From: "Rolf E. Sonneveld" <r(_dot_)e(_dot_)sonneveld(_at_)sonnection(_dot_)nl>
To: <spf-discuss(_at_)v2(_dot_)listbox(_dot_)com>
Sent: Thursday, March 11, 2004 5:56 PM
Subject: Re: [spf-discuss] Latest proposal re HELO checking: make HELO tests
optional

This is a nice illustration of how new techniques easily may break
current legal mail flows.

Not really.

It is good example of people don't have proper retturn paths or have a
server is behavior in RCPT validation.

Why it is taken over 35 seconds to return a response?   Here is the log:

20040311 13:47:51 -------------------------------------
20040311 13:47:51 version    : 1.55 / 1.54
20040311 13:47:51 calltype   : SMTP
20040311 13:47:51 state      : rcpt
20040311 13:47:51 cip        : 193.67.246.66
20040311 13:47:51 cdn        : donald.sonnection.nl
20040311 13:47:51 from       : 
<r(_dot_)e(_dot_)sonneveld(_at_)sonnection(_dot_)nl>
20040311 13:47:51 rcpt       : 
<winserver(_dot_)support(_at_)winserver(_dot_)com>
20040311 13:47:51 sapfilter  : pass (time:16)

You pass our local filter test.

20040311 13:47:51 saprbl     : testing 66.246.67.193.sbl.spamhaus.org
20040311 13:47:54 saprbl     : testing 66.246.67.193.list.dsbl.org
20040311 13:47:54 saprbl     : testing 66.246.67.193.bl.spamcop.net
20040311 13:47:56 saprbl     : pass

You pass the RBL test

20040311 13:48:02 sapspf     : none (time:6094)

You have no SPF record which is something you should consider to solve
future problems with others.

So now it begins the final CBV test:

20040311 13:48:03 sapcbv     : total mx records: 3
20040311 13:48:03 try mx     : mail.sonnection.nl ip: 193.67.246.66
20040311 13:48:03 # connecting to 193.67.246.66
20040311 13:48:04 S: 220 donald.sonnection.nl -- Server ESMTP (PMDF
V6.2-X10#39908)
20040311 13:48:04 C: NOOP WCSAP v1.55 Wildcat! Sender Authentication
Protocol http://www.santronics.com
20040311 13:48:05 S: 250 2.0.0 OK.
20040311 13:48:05 C: HELO mail.winserver.com
20040311 13:48:06 S: 250 donald.sonnection.nl OK, [208.247.131.9].
20040311 13:48:06 C: MAIL FROM: <>
20040311 13:48:06 S: 250 2.5.0 Address Ok.
20040311 13:48:06 C: RCPT TO: 
<r(_dot_)e(_dot_)sonneveld(_at_)sonnection(_dot_)nl>
20040311 13:48:41 C: QUIT
20040311 13:49:01 sapcbv     : -1
20040311 13:49:01 result     : reject (0)
20040311 13:49:01 smtp code  : 552
20040311 13:49:01 reason     : Rejected by WCSAP CBV
20040311 13:49:01 wcsap finish (69094 msecs)

Why is your RCPT TO response never coming back?   We have a 35 second time
out on that.  Could be set longer but you are the FIRST I've seen that has a
problem like this.

What if a system was trying to send you mail?  Or needed to send a bounce
back to you?   Now you are putting
the burden on them by having such a problematic RCPT validation system. Turn
if it off if its not going to work.

What did your mailserver do to verify the Return Path? My MX records are
OK, my PTR record for the sending host is OK. What else?

How about an SPF record?   Isn't that why you are here?

That would of solve this. However, it could hide the fact that you might not
be reachable or will create a long transaction session with your system.

Furthermore, your server is giving the wrong error code. From RFC2821:

  RFC 821 [30] incorrectly listed the error where an SMTP server
  exhausts its implementation limit on the number of RCPT commands
  ("too many recipients") as having reply code 552.  The correct reply
  code for this condition is 452.  Clients SHOULD treat a 552 code in
  this case as a temporary, rather than permanent, failure so the logic
  below works.

Please check RFC2821 for the proper reply codes; code 552 should be used
for:

"552 Requested mail action aborted: exceeded storage allocation"

Your right. in this case as it might be better to be 550 or 553.   The wcSAP
validation stuff was set with the wrong response code which sent back the
response code to the server.

Thanks for pointing that out,  however, it is still a negative 55x condition
and you should look into why your server is not responding to the RCPT TO:
command.

-- 
Hector Santos, Santronics Software, Inc.
http://www.santronics.com




<Prev in Thread] Current Thread [Next in Thread>