On Fri, 27 Jan 2006, Julian Mehnle wrote:
Seriously, M:S:Q does _not_ perform an independent HELO check -- it never
did and never will. I even documented this in 1.999 RC3. M:S:Q only uses
the HELO identity if MAIL FROM is empty.
Pymilter doesn't check HELO if MAIL FROM gets SPF pass (real or guessed).
But HELO is checked if MAIL FROM cannot be verified. If there is no
SPF record for the HELO, it checks for (my interpretation of) rfc compliant
HELO (HELO name resolves to connect IP). If HELO cannot be verified,
and there is not a valid PTR either, then the mail is rejected (3 strikes).
We get 10000 - 40000 connection attempts a day, most of which flunk
the 3 strikes test. Occasionally, there is a "legitimate" sender with a really
badly configured mail server. For those cases, if the postmaster won't
fix their server ("I've been using names like 'JUPITER' for HELO
for 10 years without a problem. You obviously don't know what you're
talking about."), we enter a local SPF record for them.
--
Stuart D. Gathman <stuart(_at_)bmsi(_dot_)com>
Business Management Systems Inc. Phone: 703 591-0911 Fax: 703 591-6154
"Confutatis maledictis, flamis acribus addictis" - background song for
a Microsoft sponsored "Where do you want to go from here?" commercial.
-------
Sender Policy Framework: http://www.openspf.org/
Archives at http://archives.listbox.com/spf-discuss/current/
To unsubscribe, change your address, or temporarily deactivate your
subscription,
please go to
http://v2.listbox.com/member/?listname=spf-discuss(_at_)v2(_dot_)listbox(_dot_)com