spf-discuss
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

RE: [spf-discuss] SPF adoption - HELO vs FROM

2008-01-05 22:00:02
from [Don Lee] [Permanent Link] 
Jeremy wrote:


Section 3.2 says, in addition,



    In the EHLO command the host sending the command identifies itself

While that isn't a direct link to the IP in use, some people
feel that it isn't unreasonable to require a traceable coupling
between the IP and the HELO via DNS lookups (even if it takes more
than one lookup step) in order to enforce the 3.2 wording.


Agreed. But I'd also like to draw your attention to RFC 2821 4.1.4,
Paragraph 6

4.1.4 Order of Commands [paragraph 6]:

    An SMTP server MAY verify that the domain name parameter in the EHLO
    command actually corresponds to the IP address of the client.
    However, the server MUST NOT refuse to accept a message for this
    reason if the verification fails: the information about verification
    failure is for logging and tracing only.

The forbidding MUST NOT leaves little room for interpretation.

Don't get me wrong, though, I'm all for HELO checking, and I personally do
a LOT of it. But all under the heading of: "My MTA, my rules." :)

But my 'objections' were more to Don's scrutiny to force server operators
"to provide RFC-compliant HELO data," in the pointing out that when it
comes to RFCs, to-date they still offer more space to maneouvre in than
perhaps we'd like to see.

- Mark


In the broad scheme of things, this would be very high on my list of things
to change.  The RFCs should, IMHO, require a traceable HELO/EHLO for
server "greeting".  It is already that way de-facto by virtue of the
checking on HELO that most servers already do for anti-spam.

The "MUST NOT refuse" verbiage should just be removed.

Is there a legitimate reason to maintain this particular "room to
maneuver" for HELO?  It seems little more to me than a hole in the
standard that leaves elbow room for the malicious and the incompetent.

-dgl-

-------------------------------------------
Sender Policy Framework: http://www.openspf.org
Archives: http://v2.listbox.com/member/archive/735/=now
RSS Feed: http://v2.listbox.com/member/archive/rss/735/
Modify Your Subscription: 
http://v2.listbox.com/member/?member_id=2183229&id_secret=82340782-4c2231
Powered by Listbox: http://www.listbox.com
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: [spf-discuss] SPF adoption - HELO vs FROM, Alex van den Bogaerdt
Next by Date:  [spf-discuss] SPF Mail Summary Report, spf-discuss
Previous by Thread:  RE: [spf-discuss] SPF adoption - HELO vs FROM, Mark
Next by Thread:  Re: [spf-discuss] SPF adoption - HELO vs FROM, Alex van den Bogaerdt
Indexes:  [Date] [Thread] [Top] [All Lists]