[Dovecot] SSL/TLS with Outlook client

[Kyle Wheeler]

On Wednesday, November 14 at 09:35 PM, quoth Nikolay Shopik:
>> And HELO in SMTP is entirely unreliable, unverifiable, and on many 
>> servers completely skippable.
>> 
> RFC says you SHOULD use FQDN for HELO nothing more. But still you 
> can add SPF record for your HELO so nobody can foged your server 
> HELO, thats it.

To quote RFC 821:

     The HELO receiver MAY verify that the HELO parameter really
     corresponds to the IP address of the sender. However, the receiver
     MUST NOT refuse to accept a message, even if the sender's HELO
     command fails verification.

If you prefer RFC 2821:

     An SMTP server MAY verify that the domain name parameter in the
     EHLO command actually corresponds to the IP address of the client.
     However, the server MUST NOT refuse to accept a message for this
     reason if the verification fails: the information about
     verification failure is for logging and tracing only.

In practice, what that means is that HELO is useless for doing much of 
anything. Spammers or other criminals can forge your server's HELO to 
their hearts content and you are expressly forbidden from actually 
doing anything about it.

SPF does not override the existing standards.

And in any case, SPF HELO checks are a pointless exercise, since HELO 
is permitted to be anything at all without affecting the envelope of 
the message. A spammer can create his own domain, publish his own SPF 
settings that explicitly allow email from any source, and use that 
domain as his HELO string.

~Kyle
-- 
I believe that every human has a finite number of heart-beats. I don't 
intend to waste any of mine running around doing exercises.
                                                      -- Neil Armstrong
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 196 bytes
Desc: not available
Url : http://dovecot.org/pipermail/dovecot/attachments/20071114/64248892/attachment.bin