spf-discuss
[Top] [All Lists]

Re: SPF HELO checking

2004-12-13 15:35:14
On Mon, Dec 13, 2004 at 06:55:40PM +0100, David wrote:

a) rfc says what everybody must use in the helo, maybe it will be better
 to just enforce it.

And what do you think the RFC enforces?

it's very clear, the helo/ehlo must be the fqdn or the ip literal
of the smtp client, never a domain name (unless it has an A record)

Let me tell you in advance: The RFC does NOT enforce that the domain
name as given in HELO can be correlated to the connecting IP address.

Please see RFC 2821 section 4.1.1.1 and RFC 1123 section 5.2.5

I have.  You fail to consider multi homed hosts.

The primary name of a box is "hosta.example.tld" with address 192.168.1.1
The address of the interface connecting to you is address 192.168.2.1 and
this resolves to "hosta.otherexample.tld" (and back).

This host MUST use "hosta.example.tld" in HELO.

It cannot use its domain literal in this case, since its name is known.
Using the domain literal is a workaround in case of problems.

It cannot use the name bound to the "otherexample.tld" connected address.
It has to use its _primary_ name.

RFC2821 allows rejection for various reasons.  The only thing it
specifically forbids is you MUST NOT reject purely on the fact that
ptr(connecting ip address) != HELO.

b) why complicate spf with helo checking when all this checking could be
 avoided by viruses/spam just using the correct ip literal in the helo

Currently there is no way, apart from SPF and alike protocols, to see
what IP addresses are allowed to use a certain HELO.

please read carefully what i post

Don't assume I didn't.

Huh?  Never mind.  HELO checks are, and have been, possible using SPF.
IIRC it is optional _for_the_receiver_ and mandatory _for_the_sender_.

ups ... helo checks are mandatory for the sender ? where did you read 
this ?

The sender does not need to check itself, it is mandatory for the sender
to make sure helo can be checked.  _Checking_ the helo string is optional
for the _receiver_.

Where I read this?  Well, on this list, somewhere around the beginning
of this year, maybe end 2003.  Where did you read the opposite, and when?

Alex
-- 
I ask you to respect any "Reply-To" and "Mail-Follow-Up" headers.  If
you reply to me off-list, you'd better tell me you're doing so.  If
you don't, and if I reply to the list, that's your problem, not mine.


<Prev in Thread] Current Thread [Next in Thread>