On Mon, 21 Jun 2004 11:15:17 -0400, Meng Weng Wong wrote:
On Sun, Jun 20, 2004 at 10:32:54PM +0100, Karl Prince wrote:
| This slide implies (very strongly) that in SPF Classic,
| checking the HELO is a MUST, but the latest posted RFC proposal
| (200405), section 2.2.1 says
| "SMTP+SPF receivers MAY check the HELO argument"
| My opinion is that it should be a MUST, but I am concerned
| about potential issues with potentially matching .local domains
| at both ends of the transaction.
In a new version of the draft we can put out something that
says "receivers MAY check any of the above identities, and
SHOULD check the following at least:"
HELO
MAIL FROM
PRA in the form of SUBMITTER if present
I would rather it was "and MUST check the following (if
present) at least:" though this could be just me not getting the
difference between SHOULD and MUST.
I'm sure this argument must have been used already, but I can't
find it in the archives. If the HELO is checked always, rather
than just on bounces or at the administrators descretion (is
default HELO check on or off?) then issues with the HELO will
not necessarily come to light during initial post installation
testing. I suppose I just can't understand why it should be
optional, I can't see a downside that wouldn't be found on a
bounce.
Anyway moving on, the quality of HELO's is a major issue,
particularly from sites using Active Directory and Exchange,
which seem to default to a FQDN ending in ".local" I see
potential problems here if domains ending in ".local" are not
excluded from FQDN HELO tests.
A simple example of this problem is two AD/Exchange sites
"mydomain.com" and "mydomain.net" trying to email each other,
there is a good chance they would both use the HELO
mydomain.local, and end up using a local (and incorrect) record.
I have observed this example may be worse in practice with the
local domain names frequently being shortened versions of the
actual public domain. I'll have to invent an example so as not
to point fingers at the guilty. Say solicitors Smith, Smith &
Smith used smith.local for their AD, this seems to happen quite
a bit, along with generic names.
So I propose that FQDN HELO's ending in .local are not
processed, including the bounce scenario, (unless the
connecting IP is defined as local)
FWIW, I'm finding on my server that the majority of small
businesses, that send mail by directly MX, are getting the HELO
wrong, most end in .local and/or it does not resolve. Even
having a PTR record is too much for many, and many of those
that do look like DHCP with the IP embedded in the name. I've
pretty much given up trying to "educate" many of them, since
they don't see it as an issue, I wish AOL/Yahoo/Hotmail would
add resolving FQDN HELOs to it's policy, that would get them
"educated" pretty quickly.
Regards
Karl Prince
______________________________________________________________
Email via Mailtraq4Free from Enstar (www.mailtraqdirect.co.uk)