Alex van den Bogaerdt wrote:
On Wed, May 04, 2005 at 09:23:09AM -0400, Radu Hociung wrote:
I would suggest that checking HELO with SPF is misguided at best.
The HELO name is not required by any RFC to be a domain name.
localhost.localdomain is a perfectly legal HELO name. So are many others
that are not domain names, and thus the results of a DNS loookup on them
would be *undefined*
Is this the real Radu or is this a troll imposing Radu?
:) It's me... I would sign my mail cryptographically if listbox weren't
broken. (It inserts its own signature inside my signed text, which makes
my text appear tampered with).
some quotes from RFC2821:
the command may be interpreted as saying "Hello, I am <domain>"
The argument field contains the fully-qualified domain name
of the SMTP client if one is available.
helo = "HELO" SP Domain CRLF
The solution for the HELO check to become reliable would be for RFC2821
to be amended to *REQUIRE* valid, DNS available lookup names to be used
for the HELO exchange.
It does, whenever there is such a name available it MUST be used.
If there isn't, an address literal SHOULD be substituted instead.
The "MUST" is an assumption. I do not see the "MUST" in the RFC2821
paragraph you quoted above.
Furthermore, that paragraph also reads "if one is available", which
implies it's possible that one is not available.
Also, I see no implication that if the domain name is available, it
"MUST" be resolvable by public DNS. It may well be a good FDQN on an
internal, private network, but not on the public internet.
Indeed, since nothing further in the SMTP state machine *requires*, or
even suggests the use of this name, it would make little sense to
constrain it to being a publicly resolvable domain name.
Domain names used MUST be the FQDN of the client. The interface
connecting may be attached to another name, so you cannot verify
the ip address against the domain name however this does not mean
the domain name suddenly doesn't have to be a FQDN.
So, when an address literal is given, the MUST NOT be a domain name
attached to this address. Would there be such a domain name, it
has to be used, not the address. In all other cases, the domain name
is used and is has to be a FQDN. I cannot see why you would say that
localhost.localdomain is a perfectly legal HELO name.
Perhaps I was pushing with localhost.localdomain, but here's another
quote from RFC2821:
"3.6 Domains
Only resolvable, fully-qualified, domain names (FQDNs) are permitted
when domain names are used in SMTP. In other words, names that can
be resolved to MX RRs or A RRs (as discussed in section 5) are
permitted, as are CNAME RRs whose targets can be resolved, in turn,
to MX or A RRs. Local nicknames or unqualified names MUST NOT be
used. There are two exceptions to the rule requiring FQDNs:
- The domain name given in the EHLO command MUST BE either a primary
host name (a domain name that resolves to an A RR) or, if the host
has no name, an address literal as described in section 4.1.1.1.
"
This one specifically says that the HELO may not be a domain name.
Section 4.1.1.1 explains address literals such as [123.255.37.2].
The fact remains that the word following the HELO is not guaranteed to
be an FDQN.
Regards,
Radu.
-------
Sender Policy Framework: http://spf.pobox.com/
Archives at http://archives.listbox.com/spf-discuss/current/
Read the whitepaper! http://spf.pobox.com/whitepaper.pdf
To unsubscribe, change your address, or temporarily deactivate your
subscription,
please go to
http://v2.listbox.com/member/?listname=spf-discuss(_at_)v2(_dot_)listbox(_dot_)com
smime.p7s
Description: S/MIME Cryptographic Signature