spf-discuss
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

RE: [spf-discuss] SPF adoption - HELO vs FROM

2008-01-05 18:01:18
from [Mark] [Permanent Link] 
-----Original Message-----
From: Alex van den Bogaerdt 
[mailto:alex(_at_)ergens(_dot_)op(_dot_)het(_dot_)net]
Sent: zondag 6 januari 2008 1:09
To: spf-discuss(_at_)v2(_dot_)listbox(_dot_)com
Subject: Re: [spf-discuss] SPF adoption - HELO vs FROM

On Sat, Jan 05, 2008 at 09:50:17PM +0000, Mark wrote:


The 'problem' with RFC-compliant HELO data is, of course, that,
officially, there's no other requirement than that HELO be a FQDN or
an address literal.


That's not correct.

4.1.1.1 says:

"The argument field contains the fully-qualified domain name
  of the SMTP client if one is available."
  ^^^^^^^^^^^^^^^^^^


Yes, I left that part out. My bad. Obviously, you are not allowed to use
just any FQDN.


What is not allowed ("MUST NOT" in 4.1.4) is rejecting on HELO
if this is because the client address and the helo parameter don't
correspond. That does *not* say it is forbidden to reject for
other reasons.


Nor did I say that you can never reject on HELO. :) All I said is,
that it doesn't have to correspond to the connecting IP address.


If I know that the HELO parameter does not belong to the client host,
I can reject the command and thus any subsequent MAIL FROM command.


Yes, but your examples are perfect cases of where you can determine, with
certainty, that the used HELO name belongs to someone else. When this is
not the case, without the ability to match it against the connecting IP
address, you may find it, like you said, hard to determine whether the
client is lying. So, my point is, that while I fully agree there's enough
instances where you can flat-out reject on a HELO, the reverse, which we
were talking about, namely to authenticate a HELO, is not something which
can reliably be done, sans SPF, when the HELO does not resolve to the IP
address of the connecting client.

C:  HELO notsoblatent.example
S:  250 ...Uhm, yeah, you could be; I have no real way of telling. :)

So, effectively, without SPF or other auth mechanism, there is, as
receiver, not a whole lot else you can do except check for FQDN, and of
course weed out the cases where you KNOW the client is lying.

- Mark

-------------------------------------------
Sender Policy Framework: http://www.openspf.org
Archives: http://v2.listbox.com/member/archive/735/=now
RSS Feed: http://v2.listbox.com/member/archive/rss/735/
Modify Your Subscription: 
http://v2.listbox.com/member/?member_id=2183229&id_secret=82312773-eeafbc
Powered by Listbox: http://www.listbox.com
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: [spf-discuss] SPF adoption - HELO vs FROM, Alex van den Bogaerdt
Next by Date:  Re: [spf-discuss] SPF adoption - HELO vs FROM, Alex van den Bogaerdt
Previous by Thread:  Re: [spf-discuss] SPF adoption - HELO vs FROM, Alex van den Bogaerdt
Next by Thread:  Re: [spf-discuss] SPF adoption - HELO vs FROM, Alex van den Bogaerdt
Indexes:  [Date] [Thread] [Top] [All Lists]