On 14.11.2007 22:31, Kyle Wheeler wrote:
On Wednesday, November 14 at 09:35 PM, quoth Nikolay Shopik:
And HELO in SMTP is entirely unreliable, unverifiable, and on many servers completely skippable.
RFC says you SHOULD use FQDN for HELO nothing more. But still you can add SPF record for your HELO so nobody can foged your server HELO, thats it.
To quote RFC 821:
The HELO receiver MAY verify that the HELO parameter really corresponds to the IP address of the sender. However, the receiver MUST NOT refuse to accept a message, even if the sender's HELO command fails verification.
If you prefer RFC 2821:
An SMTP server MAY verify that the domain name parameter in the EHLO command actually corresponds to the IP address of the client. However, the server MUST NOT refuse to accept a message for this reason if the verification fails: the information about verification failure is for logging and tracing only.
In practice, what that means is that HELO is useless for doing much of anything. Spammers or other criminals can forge your server's HELO to their hearts content and you are expressly forbidden from actually doing anything about it.
SPF does not override the existing standards.
And in any case, SPF HELO checks are a pointless exercise, since HELO is permitted to be anything at all without affecting the envelope of the message. A spammer can create his own domain, publish his own SPF settings that explicitly allow email from any source, and use that domain as his HELO string.
~Kyle That's I'm talking about they only force you to use FQDN but it MAY unresolvable thats it. Sure thing about SPF HELO checks, I'm just notice about what they can't forged your HELO(but AFAIK not much servers check HELO SPF records), everything else is absolutely correct you saying.