spf-discuss
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: [spf-discuss] Resolving MFROM/HELO conflicts

2010-01-15 06:38:26
from [alan] [Permanent Link] 
At 10:58 15/01/2010  Friday, Ian Eiloart wrote:



--On 14 January 2010 14:52:40 -0600 Don Lee 
<spfdiscuss(_at_)caution(_dot_)icompute(_dot_)com> wrote:



On the one hand,  CNAME for HELO is all too common (and accepted - wrong
though it may be), but HELO that does not resolve, or does not have
port 25 open on the resolved IP is more and more commonly the reason
for mail from that server being rejected.


There's no reason that my sending mail server should have port 25 open. Many 
sites separate their outbound and inbound servers. Sender verifications rely 
on MX records, which could point anywhere.


I agree most large providers would be the 
MX is totally unrelated to legit HELO clients
port 25 is only related to MX, thus totally unrelated to HELO clients

legit HELO clients are only required by absolutely extreme best practices to

A HELO as a name that is resolvable by A to its connecting from ip #counter 
forgery
B have a PTR > PTRNAME > IP, FQRDNS                                
#traceability of owner
C have an SPF for HELO that authorises its connecting ips          #counter 
forgery if present A unnecessary, as this provides
                                                                   #proof of A, 
and intent to use this domain for HELO
D CSV for HELO if possible                                         #counter 
forgery equivalent to C
E PTRNAME in the same domain as HELO                               #proof that 
traceable owner is person operating sending software
                                                                   #anti 
malware/trojan
F PTRNAME != HELO                                                  #proof that 
sending software is not just malware using its FQRDNS
                                                                   #as 
otherwise A+C/D+E proves nothing about this connection
                                                                   #just that 
the IP does also originate mail
G PTRNAME using .mxout.                                            #tiny extra 
points for trying to please everyone

even in this draconian {but easy to implement on any existing setup}
list of requirements doesn't tie MX to HELO
or require port 25 open on senders
{as no one should} 



-------------------------------------------
Sender Policy Framework: http://www.openspf.org [http://www.openspf.org]
Modify Your Subscription: http://www.listbox.com/member/ 
[http://www.listbox.com/member/]

Archives: https://www.listbox.com/member/archive/735/=now
RSS Feed: https://www.listbox.com/member/archive/rss/735/
Powered by Listbox: http://www.listbox.com
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: [spf-discuss] Resolving MFROM/HELO conflicts, Ian Eiloart
Next by Date:  Re: [spf-discuss] Resolving MFROM/HELO conflicts, Ian Eiloart
Previous by Thread:  Re: [spf-discuss] Resolving MFROM/HELO conflicts, Ian Eiloart
Next by Thread:  Re: [spf-discuss] Resolving MFROM/HELO conflicts, Ian Eiloart
Indexes:  [Date] [Thread] [Top] [All Lists]