Stuart Wrote:
When it says "HELO bmsi.com", and it ain't one of my
bmsi.com servers, I'm going to reject it.
Matthew responsed:
I'm not disagreeing with your decision to reject based on
information you receive in the HELO... what I am suggesting is
that perhaps it would be batter to wait for MAIL FROM phase to
break the bad news.
This is a good efficiency recommendation and I would go a step further to
delay all verification until you know the forwarding address (RCPT TO) is.
On my system, 50-65% RCPT TO: are rejected due to unknown local address, so
you will save an equal amount on SPF/DNS lookup overhead.
The checks are triggered only once a good LOCAL ADDRESS RCPT TO is provided.
If the RCPT TO is remote (for another domain), then the user must be
authenticated using tradition means.
In this case, our sender validation features are skipped.
The only think we do before the MAIL FROM is a HELO syntax checking for
domain literals:
- Bad domain literal, e.g., no brackets
- Bracketed domain literal does not match connecting IP
This represents about 12% rejects on our system. No complaints. :-) We had
two reports since it was implemented nearly 2-3 years ago. Each time it was
a legit sender that was fixed on the sender side.
--
Hector Santos, Santronics Software, Inc.
http://www.santronics.com
-------
Sender Policy Framework: http://www.openspf.org/
Archives at http://archives.listbox.com/spf-discuss/current/
To unsubscribe, change your address, or temporarily deactivate your
subscription,
please go to
http://v2.listbox.com/member/?listname=spf-discuss(_at_)v2(_dot_)listbox(_dot_)com