Alex van den Bogaerdt writes:
On Tue, Nov 22, 2005 at 11:39:27AM -0500, Dick St.Peters wrote:
When it says "HELO bmsi.com", and it ain't one of my bmsi.com servers,
I'm going to reject it. No matter what cockamany RFC ignorant
(must be a resolvable FQDN - I believe it must resolve to client, but
others disagree) HELO they came up with, they certainly aren't allowed
to use "bmsi.com". Ditto for any other domains I manage.
You are 100% correct that the HELO name must resolve to the client.
Stuart is 100% correct. You are not.
Show me exactly what you think it is I said that's wrong.
The _client_ is 10.2.3.4, not 10.1.2.3
If the connecting source address is set to 10.1.2.3, the client is
10.1.2.3.
To comply with the RFCs, SMTP connections out the 10.2.3.4 interface
have to use 10.1.2.3 as the source address. (I do this routinely.)
Correct.
So regardless of which interface it uses, the client is 10.1.2.3 if
it is RFC-compliant.
You ask PTR(10.2.3.4) and get interface.example.org
Or you ask A(somehost.example.org) and get 10.1.2.3
No, if the client is compliant and uses the host name source address,
you ask PTR(10.1.3.4) and get somehost.example.org.
The subthread is about comparing the connecting IP address, 10.2.3.4,
against the HELO name.
No, the subthread I started is about the connecting IP NOT being
10.2.3.4. RFC compliance requires it to be the 10.1.2.3 IP that
corresponds to the primary host name.
This implies looking up either PTR(10.2.3.4)
and comparing against somehost.example.org, or looking up
A(somehost.example.org) and comparing against 10.2.3.4
No, the server will never see the 10.2.3.4 address and so will never
compare it against anything. The only address a server will ever see
for an RFC-compliant client is the one corresponding to its primary
host name.
Hopefully, that will be the end of this, and I can go on to make the
next point I wanted to make, namely that not complying with this
particular RFC nit hardly matters. If the rest of the network can't
even tell whether you're in strict compliance, it doesn't matter if
you're not.
To be more specific, if your dual-NIC host always makes SMTP
connections using its 10.2.3.4 address and uses the corresponding name
for its HELO/EHLO name, it does not matter if it's primary hostname is
something else.
What does matter is that the client source IP address match the HELO
name it uses. Whether they match the name returned by gethostname(2)
is of no consequence. Unfortunately, the RFCs are not worded that
way.
--
Dick St.Peters, stpeters(_at_)NetHeaven(_dot_)com
-------
Sender Policy Framework: http://www.openspf.org/
Archives at http://archives.listbox.com/spf-discuss/current/
To unsubscribe, change your address, or temporarily deactivate your
subscription,
please go to
http://v2.listbox.com/member/?listname=spf-discuss(_at_)v2(_dot_)listbox(_dot_)com