[Dovecot] SSL/TLS with Outlook client

Marcus Rueckert darix at opensu.se
Wed Nov 14 23:51:33 EET 2007


On 2007-11-14 13:31:00 -0600, Kyle Wheeler wrote:
> On Wednesday, November 14 at 09:35 PM, quoth Nikolay Shopik:
> >>And HELO in SMTP is entirely unreliable, unverifiable, and on many 
> >>servers completely skippable.
> >>
> >RFC says you SHOULD use FQDN for HELO nothing more. But still you 
> >can add SPF record for your HELO so nobody can foged your server 
> >HELO, thats it.
> 
> To quote RFC 821:
> 
>     The HELO receiver MAY verify that the HELO parameter really
>     corresponds to the IP address of the sender. However, the receiver
>     MUST NOT refuse to accept a message, even if the sender's HELO
>     command fails verification.
> 
> If you prefer RFC 2821:
> 
>     An SMTP server MAY verify that the domain name parameter in the
>     EHLO command actually corresponds to the IP address of the client.
>     However, the server MUST NOT refuse to accept a message for this
>     reason if the verification fails: the information about
>     verification failure is for logging and tracing only.
> 
> In practice, what that means is that HELO is useless for doing much of 
> anything. Spammers or other criminals can forge your server's HELO to 
> their hearts content and you are expressly forbidden from actually 
> doing anything about it.
> 
> SPF does not override the existing standards.
> 
> And in any case, SPF HELO checks are a pointless exercise, since HELO 
> is permitted to be anything at all without affecting the envelope of 
> the message. A spammer can create his own domain, publish his own SPF 
> settings that explicitly allow email from any source, and use that 
> domain as his HELO string.

rejecting on wrong informations in HELO/EHLO saves me lots of spam.

    darix

-- 
           openSUSE - SUSE Linux is my linux
               openSUSE is good for you
                   www.opensuse.org


More information about the dovecot mailing list