On 14.11.2007 22:31, Kyle Wheeler wrote:
On Wednesday, November 14 at 09:35 PM, quoth Nikolay Shopik:
And HELO in SMTP is entirely unreliable, unverifiable, and on many
servers completely skippable.
RFC says you SHOULD use FQDN for HELO nothing more. But still you can
add SPF record for your HELO so nobody can foged your server HELO,
thats it.
To quote RFC 821:
The HELO receiver MAY verify that the HELO parameter really
corresponds to the IP address of the sender. However, the receiver
MUST NOT refuse to accept a message, even if the sender's HELO
command fails verification.
If you prefer RFC 2821:
An SMTP server MAY verify that the domain name parameter in the
EHLO command actually corresponds to the IP address of the client.
However, the server MUST NOT refuse to accept a message for this
reason if the verification fails: the information about
verification failure is for logging and tracing only.
In practice, what that means is that HELO is useless for doing much of
anything. Spammers or other criminals can forge your server's HELO to
their hearts content and you are expressly forbidden from actually
doing anything about it.
SPF does not override the existing standards.
And in any case, SPF HELO checks are a pointless exercise, since HELO
is permitted to be anything at all without affecting the envelope of
the message. A spammer can create his own domain, publish his own SPF
settings that explicitly allow email from any source, and use that
domain as his HELO string.
~Kyle
That's I'm talking about they only force you to use FQDN but it MAY
unresolvable thats it. Sure thing about SPF HELO checks, I'm just notice
about what they can't forged your HELO(but AFAIK not much servers check
HELO SPF records), everything else is absolutely correct you saying.
