David MacQuigg wrote:
Stuart D. Gathman wrote:
Here is a little nit that wasn't addressed in RFC4408. If HELO SPF says to
reject, but SPF for MAIL FROM says Pass, which takes precedence? For
spfv1, I think we are stuck with "receiver policy" (especially since
checking HELO is optional). Should we specify a precedence for spfv3?
Make HELO check a MUST? Or keep HELO optional, but give precedence to
MFROM?
The HELO check should be mandatory, and should take precedence over the
MFROM check. There is no "forwarding problem" (or any other excuse for
failure) with the HELO check. Furthermore, all the "bells and whistles" in
an SPF record should not apply to the HELO check. It should be a simple
Pass/Fail, with an immediate SMTP REJECT on Fail.
We had already talked with John Klensin about this subject and concluded that
it is hardly practicable because of brain damaged clients out there who don't
even know their IP address. John suggested to use a different verb, VHLO, for
clients who wish to undergo such a severe scrutiny. A "pass" would then result
in some sort of whitelisting. I've detailed the finish for this line of
thought in http://tools.ietf.org/html/draft-vesely-vhlo
IMHO, in spfv3, we can drop the whole idea of HELO-checking, because
backscattering has been substantially reduced in the mean time, while SPF
records for host names have never flown.
FWIW - I find that over time, (non-spammer) mailservers
that do not issue a reasonable HELO/EHLO are increasingly rare.
On the one hand, CNAME for HELO is all too common (and accepted - wrong
though it may be), but HELO that does not resolve, or does not have
port 25 open on the resolved IP is more and more commonly the reason
for mail from that server being rejected.
As a result, SPF on host names, and a requirement that HELO be "OK"
is more and more palatable as a standard.
For my mailserver, which I admit is relatively small, I see several
thousand incoming unique hosts each day, and filter quite successfully on
a series of filters based on HELO. I can count on one hand the number of
complaints of "false positives" with this technique in the last
5 years.
YMMV.
-dgl-
-------------------------------------------
Sender Policy Framework: http://www.openspf.org [http://www.openspf.org]
Modify Your Subscription: http://www.listbox.com/member/
[http://www.listbox.com/member/]
Archives: https://www.listbox.com/member/archive/735/=now
RSS Feed: https://www.listbox.com/member/archive/rss/735/
Powered by Listbox: http://www.listbox.com