On Mon, 13 Jul 2009, Alex van den Bogaerdt wrote:
HELO is "validated" in the same way a PTR record is - by checking for
a match with connect ip.
My point is: either DNS is setup correctly, PTR records are setup, or it
isn't. "... find it difficult to get their ISP to maintain PTR records." seems
to indicate that DNS is not setup correctly.
Unfortunately, clients have no direct control over PTR records when their
IP block is less than 256 IPs (most small businesses). All other DNS RRs
can be directly controlled by a competent admin, no matter how small -
but not PTR. When the ISP is unresponsive, the only recourse is to
change providers - and broadband is very often a monopoly.
AFAIK the ptr mechanism does not tie helo to the mail domain.
Correct, hence the proposal.
Verifying that the connected IP and the HELO parameter match, is done using
the "a" mechanism.
If there is only one, or a small number of HELOs. Which is probably
reasonable given that the use case assumes < 256 IPs.
Even if the DNS in-addr.arpa entry points to that bigisp, which then points
back to the IP address, "v=spf1 a -all" will still validate an HELO parameter
like "smtp-out.example.com".
I am talking about using the name provided by HELO to validate a MAIL FROM
identity - not the HELO identity. Providing names via PTR is often difficult
or impossible for a small company due to lack of direct control - but HELO is
always available and directly configured by a mail admin.
Why would dyn-10-1-2-4.bigisp.com need to be authorized?
It doesn't. The issue is that example.com can't convice bigisp.com
(which is a broadband monopoly in the area) to install proper PTR
records for the static IPs example.com is paying for (despite a
contract saying they are supposed to). More precisely, my experience
has been that it takes an average 3 days and 3 hours on the phone to convince
a DNS flunky to make one change. And then, they often mistype
the entry and you have to do it again. It is just not worth the time and
effort unless some automated system is in place like PTR delegation
(which can be cached at bigisp and made to look like non-delegated records
to avoid any performance issues) or a web admin app.
--
Stuart D. Gathman <stuart(_at_)bmsi(_dot_)com>
Business Management Systems Inc. Phone: 703 591-0911 Fax: 703 591-6154
"Confutatis maledictis, flammis acribus addictis" - background song for
a Microsoft sponsored "Where do you want to go from here?" commercial.
-------------------------------------------
Sender Policy Framework: http://www.openspf.org
Modify Your Subscription: http://www.listbox.com/member/
Archives: https://www.listbox.com/member/archive/735/=now
RSS Feed: https://www.listbox.com/member/archive/rss/735/
Powered by Listbox: http://www.listbox.com