[Dovecot] SSL/TLS with Outlook client

Nikolay Shopik shopik at inblock.ru
Wed Nov 14 21:37:03 EET 2007


On 14.11.2007 22:31, Kyle Wheeler wrote:
> On Wednesday, November 14 at 09:35 PM, quoth Nikolay Shopik:
>>> And HELO in SMTP is entirely unreliable, unverifiable, and on many 
>>> servers completely skippable.
>>>
>> RFC says you SHOULD use FQDN for HELO nothing more. But still you can 
>> add SPF record for your HELO so nobody can foged your server HELO, 
>> thats it.
>
> To quote RFC 821:
>
>     The HELO receiver MAY verify that the HELO parameter really
>     corresponds to the IP address of the sender. However, the receiver
>     MUST NOT refuse to accept a message, even if the sender's HELO
>     command fails verification.
>
> If you prefer RFC 2821:
>
>     An SMTP server MAY verify that the domain name parameter in the
>     EHLO command actually corresponds to the IP address of the client.
>     However, the server MUST NOT refuse to accept a message for this
>     reason if the verification fails: the information about
>     verification failure is for logging and tracing only.
>
> In practice, what that means is that HELO is useless for doing much of 
> anything. Spammers or other criminals can forge your server's HELO to 
> their hearts content and you are expressly forbidden from actually 
> doing anything about it.
>
> SPF does not override the existing standards.
>
> And in any case, SPF HELO checks are a pointless exercise, since HELO 
> is permitted to be anything at all without affecting the envelope of 
> the message. A spammer can create his own domain, publish his own SPF 
> settings that explicitly allow email from any source, and use that 
> domain as his HELO string.
>
> ~Kyle
That's I'm talking about they only force you to use FQDN but it MAY 
unresolvable thats it. Sure thing about SPF HELO checks, I'm just notice 
about what they can't forged your HELO(but AFAIK not much servers check 
HELO SPF records), everything else is absolutely correct you saying.


More information about the dovecot mailing list