spf-discuss
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: [spf-discuss] SPF adoption - HELO vs FROM

2008-01-05 17:10:40
from [Alex van den Bogaerdt] [Permanent Link] 
On Sat, Jan 05, 2008 at 09:50:17PM +0000, Mark wrote:


The 'problem' with RFC-compliant HELO data is, of course, that,
officially, there's no other requirement than that HELO be a FQDN or an
address literal.


That's not correct.

4.1.1.1 says:

"The argument field contains the fully-qualified domain name
   of the SMTP client if one is available."
   ^^^^^^^^^^^^^^^^^^

Although it may be hard to verify that the client is lying,
there's plenty of room in RFC2821 to allow rejecting a bad HELO.

What is not allowed ("MUST NOT" in 4.1.4) is rejecting on HELO <<if
this is because the client address and the helo parameter don't
correspond>>.  That does *not* say it is forbidden to reject for
other reasons.

Carefully read "...for this reason...", which is about
"...corresponds to...".

Officially, the name which is used as HELO parameter MUST be
"a valid principal host name [...] for its host."
(or an address literal, under certain specific circumstances)

Your statement ignores the 'for its host' part.


If I know that the HELO parameter does not belong to the client host,
I can reject the command and thus any subsequent MAIL FROM command.

The following examples are allowed by RFC 2821:

C = connecting client
S = server connected to

C:  HELO something.example
S:  5xy No, you are not something.examle, I am!
(or: I know that host and it's not you!)

C:  HELO something.example
S:  5xy According to the SPF policy at something.example, [10.1.2.3] is not 
authorized to use that name

C:  HELO something.example
S:  5xy Something.example does not resolve


The only examples of what is not allowed by 4.1.4 are:

C: HELO something.examle
S: 5xy [10.1.2.3] is not named something.example

C: HELO something.examle
S: 5xy something.example does not resolve to [10.1.2.3]


In other words: the HELO parameter needs to be a name for the host, but
it does not need to be the name of the interface used to connect.


Besides: 821 is the standard, not 2821.  And 821 says:
"
 In the HELO command the host sending the command identifies
 itself; the command may be interpreted as saying "Hello, I am
 <domain>".
"

And <domain> is to be read as <FQDN>, not as <ISP> or similar.
"HELO yahoo.com" is not RFC compliant, unless there happens to be
just one mailhost, with a lot of interfaces, having name "yahoo.com".

Alex

-------------------------------------------
Sender Policy Framework: http://www.openspf.org
Archives: http://v2.listbox.com/member/archive/735/=now
RSS Feed: http://v2.listbox.com/member/archive/rss/735/
Modify Your Subscription: 
http://v2.listbox.com/member/?member_id=2183229&id_secret=82299452-df9d42
Powered by Listbox: http://www.listbox.com
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: [spf-discuss] Re: Revising SOFTFAIL, Michael Deutschmann
Next by Date:  RE: [spf-discuss] SPF adoption - HELO vs FROM, Mark
Previous by Thread:  RE: [spf-discuss] SPF adoption - HELO vs FROM, Don Lee
Next by Thread:  RE: [spf-discuss] SPF adoption - HELO vs FROM, Mark
Indexes:  [Date] [Thread] [Top] [All Lists]