[Dovecot] SSL/TLS with Outlook client
Marcus Rueckert
darix at opensu.se
Wed Nov 14 23:51:33 EET 2007
On 2007-11-14 13:31:00 -0600, Kyle Wheeler wrote:
> On Wednesday, November 14 at 09:35 PM, quoth Nikolay Shopik:
> >>And HELO in SMTP is entirely unreliable, unverifiable, and on many
> >>servers completely skippable.
> >>
> >RFC says you SHOULD use FQDN for HELO nothing more. But still you
> >can add SPF record for your HELO so nobody can foged your server
> >HELO, thats it.
>
> To quote RFC 821:
>
> The HELO receiver MAY verify that the HELO parameter really
> corresponds to the IP address of the sender. However, the receiver
> MUST NOT refuse to accept a message, even if the sender's HELO
> command fails verification.
>
> If you prefer RFC 2821:
>
> An SMTP server MAY verify that the domain name parameter in the
> EHLO command actually corresponds to the IP address of the client.
> However, the server MUST NOT refuse to accept a message for this
> reason if the verification fails: the information about
> verification failure is for logging and tracing only.
>
> In practice, what that means is that HELO is useless for doing much of
> anything. Spammers or other criminals can forge your server's HELO to
> their hearts content and you are expressly forbidden from actually
> doing anything about it.
>
> SPF does not override the existing standards.
>
> And in any case, SPF HELO checks are a pointless exercise, since HELO
> is permitted to be anything at all without affecting the envelope of
> the message. A spammer can create his own domain, publish his own SPF
> settings that explicitly allow email from any source, and use that
> domain as his HELO string.
rejecting on wrong informations in HELO/EHLO saves me lots of spam.
darix
--
openSUSE - SUSE Linux is my linux
openSUSE is good for you
www.opensuse.org
More information about the dovecot
mailing list