On Sun, 28 Jan 2007, Devin Ganger wrote:
On 1/28/07 8:35 PM, <stuart(_at_)bmsi(_dot_)com> wrote:
On Sun, 28 Jan 2007, Don Lee wrote:
There is a large and growing number of mailservers "out there" that
try to resolve the HELO name, and some do rDNS on the IP and
ensure that it matches the HELO.
All PTR records provide is a name - that you have to verify by checking
that it resolves to the IP. Well, guess what, a HELO name is a ... name ...
that you can verify by checking that it resolves to the IP - clearly
establishing that the domain owner designated that IP. So why
did you bother fetching the PTR records again?
Because by checking that A and PTR agree, I am confirming that the domain
that the machine claims to be is in fact authorized to be using that IP
address (barring institutional stupidity from ISPs who don't allow customers
to update rDNS information on a timely basis).
Yes, but checking that the name provided by HELO agrees *already* checks
that. Fetching PTR doesn't add anything.
Quick example to make sure you understand:
Connect from 1.2.3.4
HELO mail.example.com
Lookup A record:
mail.example.com IN A 1.2.3.4
That name and A record are the as you would get by first looking up:
4.3.2.1.in-addr.arpa IN PTR mail.example.com.
There is no need to lookup the PTR, because HELO has already provided it.
Bogus names can be provided in PTR just as easily as in HELO. Verifying
the A record validates either one.
Just think of HELO as a extra PTR that comes for free with an SMTP connection.
--
Stuart D. Gathman <stuart(_at_)bmsi(_dot_)com>
Business Management Systems Inc. Phone: 703 591-0911 Fax: 703 591-6154
"Confutatis maledictis, flammis acribus addictis" - background song for
a Microsoft sponsored "Where do you want to go from here?" commercial.
-------
Sender Policy Framework: http://www.openspf.org/
Archives at http://archives.listbox.com/spf-discuss/current/
To unsubscribe, change your address, or temporarily deactivate your
subscription,
please go to http://v2.listbox.com/member/?list_id=735