Re: [Exim] AOL - SPF - and EXIM

On Fri, 11 Jun 2004, Greg A. Woods wrote:

> RFCs cannot mandate site security policies. Period.

In practical terms, I agree,

> You can 5xx right at HELO if you damn well feel like it, just as you can
> 5xx at greeting time.

Quite how you square that with the mandate to accept postmaster mail
is unclear.

> > 5xx'ing at RCPT TO based on HELO data is a perfectly valid way to go.
>
> Well, no, it's not, at least not if you are even a tiny amount concerned
> with the possibility of rejecting legitimate mail.

If you're going to reject mail before you even know who it's for, how
are you ever going to deal with attempts to report false positives to
the postmaster?

> If you reject at RCPT time based on your dislike of the HELO parameter
> then you're only confusing the sender, at best.

If their client fails to present our explanation to them, then that's
surely their problem?

> You're saying at the
> protocol level that you don't like that recipient address

No, we're saying that we don't like that recipient address *taken in
combination with other features of their previous actions in the
transaction*. If they were in our whitelist, that wouldn't matter.
But if we reject them at HELO time, how would we ever know?

> I.e. leaving the 5xx to RCPT time instead of sending it at HELO time
> when you should is just plain stupid

I reached a different conclusion, and I find your arguments
unconvincing.

> Remember that the explanitory text of the message
> you send along with the 5xx response is often lost,

You've identified the real problem, but not apparently drawn the
appropriate conclusion.