[Wylug-discuss] Re: SMTP standards (was Please confirm...)
James Holden
wylug at jamesholden.net
Sun Mar 28 16:04:23 BST 2004
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
gARetH baBB wrote:
[snip]
| Let's look at your primary MX, zion.2dcube.co.uk.
|
| (I'm presuming some of these things, because depending on how you config
| things it's hard to tell without going through a full mail delivery
| including the DATA part)
|
| It's accepted a non-qualified HELO (fish).
|
| It's accepted a bogus HELO/EHLO of "jamesholden.net"
|
| It's accepted a bogus HELO/EHLO of 80.84.72.131.
|
| It's accepted MAIL without any previous valid HELO/EHLO.
|
| It's not doing sender verify callouts.
|
| That's 80% of spam allowed through which otherwise would have been caught.
Although I'm now doing sender verift callouts, having upgraded to a
postfix snapshot and patched TLS into it, I'll point out that if you
reject mail based on any of the other tests you did, then your mail
relay is broken.
Clients should use EHLO, although HELO must still be supported by
servers. There is no requirement to do either.
There is no requirement for the information given with the HELO/EHLO to
be a valid hostname. It may be a network address or any other
information to help identify the client.
If you deny access based on an invalid HELO, you *will* lose legitimate
mail, and you *will* be breaking RFC 2821 (sec 4.1.4).
That said, if the SMTP client has a static IP address, it must send it's
DNS domain name as the argument to it's HELO/EHLO, so if a client
doesn't do this, then it's considered to be broken, but if a server
refuses mail because of this, then it is broken too, in a much more
serious way though.
See RFC 821 and 2821.
James
- --
James Andrew Holden, Leeds, UK (james at jamesholden dot net)
GPG Key: 1024D/8358863A *Please encrypt mail where possible!*
Fingerprint: 32C9 A76F 3CFE A06C 1B00 5AAB 9877 4742 8358 863A
jamesholden.net ICQ: 11290827 >Buy Linux CDs from fastdiscs.com<
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.3 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org
iD8DBQFAZul3mHdHQoNYhjoRArgkAKC7+d6CmjJIOi1wqtk7H/K0VBrsTgCgmdEX
gN8cJA9g7pjZaUXyxafj15g=
=6P2j
-----END PGP SIGNATURE-----
More information about the Wylug-discuss
mailing list