[RFCI-Discuss] DSN listing of secureserver.net

[Alan Brown]

On Tue, 24 Oct 2006, T wrote:

> For the record, a lot of SPF configurations don't realize that HELO do
> matter in th case of null <> sends and that "brain dead" behavior is
> actually probably per spec and totally correct.

Which raises the issue that RFC 821/822 stats that HELOs need not bear
any relationship to the actual hostname - as long as they're
syntactically valid.

> That sorta means, you probably have not configured the SPF records for
> the hostnames you use in your HELO greets

Surprise surprise - considering the HELO was given from a machine an
ocean away from the designated MX.

> so the problem is probably entirely your fault sorry to say, but a lot
> of domains are like that.

In general, if one wants to test rejections on SPF it is usually best to
test from a host OTHER than one listed in the SPF record.....

> While for the longest time, it thought it annoying that all hotmail
> servers used "hotmail.com" in their HELOs not quite to the spirt of
> RFCs

But entirely within the meaning of them.

The RFCs are quite clear that messages MUST NOT be rejected on the basis
of HELO not matching the connecting hostname.

>(individual servers weren't identifiable)

HELOs aren't intended for individual server identification and never were.

> The moral of this story, or of the original story (this thread) is...
> if you have mail server, configure SPF records for you hostnames too.

The amusing thing about this is that there are no valid PTR records for
manawatu.net.nz and the envelope is never used to send mail, which is
why I used that HELO from a machine in uk.linux.org (nothing to do with
the MX record either)

> The moral of the hotmail story is they can't get anything right.

Hotmail has been explicitly blocked on $orkplace servers for years,
along with Yahoo and (more recently) Gmail - due in all 3 cases to lack
of action on emission of 419 cruft.

AB