On Tue, 14 Nov 2006, Jon Grant wrote:
I think I follow your point. I'd agree with doing a Reject 55x or so if
the HELO does not match the reverse DNS of the domain
No, the HELO *name* doesn't need to match any of the names in rDNS.
Instead, the HELO name resolves to a list of IP *addresses* - one of which
should match the connect IP.
Someone pointed out that many people think rfc2821 allows a multihomed MTA
to have a mismatching HELO provided it matches one of its other
IPs (which you don't know). This goes against the spirit of HELO
in my opinion, and it is always possible to list all applicable IPs
for the HELO name, so there is no excuse for not doing it right.
Yes, it says the HELO name must "belong to the MTA". Clearly, they
meant "belongs to the interface of the MTA that you see". Belonging to some
other unknown network interface is useless.
But the point is moot since a large portion of MTAs have garbage
for HELO name (e.g. "JUPITER"), so rejecting solely on bad HELO
is impractical.
ATM with SPF checking, it just compares the IP to the SPF right? It
could check the HELO matches as well..
SPF also checks HELO (optionally except for DSNs). If the HELO name has
an SPF record, then that resolves any ambiguities left open by rfc2821.
If a HELO name fails SPF, then you should certainly reject the connection.
I believe you should reject a connection if HELO SPF gets anything other
than PASS. There is no forwarding, roaming users, or other things
to debug. There is just that one MTA - it has no excuse to do anything
but pass. Note that even vast farms of MTAs for huge mail providers
can give each IP used by outgoing MTAs a name to be used for HELO.
A single MTA with multiple IPs that can't tell which IP is it currently
using (perhaps because of external loadsharing of some sort) can use a name
with multiple A RRs.
However, people do manage to shoot themselves in the foot.
--
Stuart D. Gathman <stuart(_at_)bmsi(_dot_)com>
Business Management Systems Inc. Phone: 703 591-0911 Fax: 703 591-6154
"Confutatis maledictis, flammis acribus addictis" - background song for
a Microsoft sponsored "Where do you want to go from here?" commercial.
-------
Sender Policy Framework: http://www.openspf.org/
Archives at http://archives.listbox.com/spf-discuss/current/
To unsubscribe, change your address, or temporarily deactivate your
subscription,
please go to http://v2.listbox.com/member/?list_id=735