On Wed, May 04, 2005 at 11:10:47AM -0400, Radu Hociung wrote:
"3.6 Domains
Only resolvable, fully-qualified, domain names (FQDNs) are permitted
when domain names are used in SMTP. In other words, names that can
be resolved to MX RRs or A RRs (as discussed in section 5) are
permitted, as are CNAME RRs whose targets can be resolved, in turn,
to MX or A RRs. Local nicknames or unqualified names MUST NOT be
used. There are two exceptions to the rule requiring FQDNs:
- The domain name given in the EHLO command MUST BE either a primary
host name (a domain name that resolves to an A RR) or, if the host
has no name, an address literal as described in section 4.1.1.1.
"
This one specifically says that the HELO may not be a domain name.
True, under very limited circumstances. And I doubt that these
circumstances would occur for people publishing SPF. Even if they
do occur, why would this be an argument not to check every other
case? Where domains are used, they have to be the FQDN of the host
making the connection. The owner of this FQDN is able to specify
that you and I are not allowed to use his/her domain name.
Your argumentation: "... the results of a DNS loookup on them
would be *undefined*" (sic) doesn't hold. Either the argument
is a FQDN, one which can and should be checked, or it is an
address literal which can be checked by other means.
Yes, some (many?) domains do it wrong nowadays.
Yes, they aren't all spammers or other malicious types.
No, this does not mean we should remove the check.
The fact remains that the word following the HELO is not guaranteed to
be an FDQN.
In such cases, it is clear that it is not a FQDN so SPF checking
does not apply. In all other cases, SPF can be setup such that
HELO can be checked.
Pseudo code:
usual_helo_checks($helo)
such as local blacklist
such as local whitelist
such as checking for being malformed
such as spoofed local addresses/names
if _argument_to_helo_is_fqdn($helo)
then
check_host($helo)
fi
cheers,
Alex