At 10:40 PM 8/29/03 -0400, Richard Rognlie wrote:
Section 4.1.4
An SMTP server MAY verify that the domain name parameter in the
EHLO command actually corresponds to the IP address of the client.
However, the server MUST NOT refuse to accept a message for this
reason if the verification fails: the information about verification
failure is for logging and tracing only.
It says we can't use the IP as a basis for rejection. I'm wondering
why not...? Yes, if only an IP is presented, I can envision that it
was presented by a machine behind a NAT... so it presents 192.168.x.y
but the connecting IP is God knows what... But do I want to accept
that mail?
And certainly... if a machine presents *MY* IP addr as the connecting
info... but the connecting IP does not have anything to do with my
network... Bzzzzt! Next player!
or when they say "EHLO gamerz.net" but again are NOT on my network.
Bzzzzt!
I think the point of 4.1.4 is that you can't expect the HELO to
resolve to the ip that's connecting to you. (In some cases,
it's not even possible to pick a HELO that works. A machine that
hosts 70 domains on a single IP for example.)
Can't I? I don't expect the MTA to identify itself as one of the
domains it hosts. I expect an MTA to identify itself as who *it*
it...
There are machines that can't tell which IP address they
are connecting through. Would you, for example, reject email
sent to yourself because it came in on 127.0.0.1, but the
HELO was for example.com? What if the domain resolved to
10.1.2.3 but the connecting IP was 10.1.2.5?
However, a lot of machines out there don't use even remotely "correct"
HELO arguments. For example, a lot of machines use unqualified
host names ("bob" instead of "bob.example.com").
If you block because the HELO is not a FQDN, you're going to
block a fair amount of legitimate mail.
If a host does not identify itself, I don't want it's mail. RFC2821
clearly says that it should identify itself with its FQDN. so the
lack of a '.' in the HELO argument is enough to cause a rejection
(if I wanted).
You can reject it if it's IP is a prime number if you like,
it would just mean you aren't RFC compliant.
However, your IP address is very different. That can't reasonably
be the result of stupidity - it's almost certainly done on purpose.
Likewise your domain can't reasonably be acidentally chosen as a
HELO argument either.
Right. The only problem I can envision is if you're behind a NAT,
and you claim to be 192.168.x.y. *why* you;d claim that instead of the
IP of the NAT... or better the hostname that the NAT represents...
I have no idea... Besides... shouldn't NATed boxes send mail to their
*local* outbound MTAs first? So, you know what...? I don't care.
A server might claim that because a server has no way of knowing
what IP it's being NATed to. Again, you can reject email
from servers that can't figure that out, but you wouldn't
be RFC compliant if you did.
If the box connecting to me claims EHLO 192.168.x.y, but the connecting
IP is 234.123.4.65. That's enough reason to block it for me.
You might be able to add other domains to the list, like yahoo.com,
but that's a little dangerous unless you can be very sure of
/all/ the IPs that are assigned to yahoo.com.
In the long run, blocking based on these things is self limiting.
Once enough people do it, spammers will stop.
You'll catch a small amount of spam, and a small amount legitimate
mail, then everybody fixes the bugs and you're right back where you
were before.
The DRIP milter ftp://ftp.gamerz.net/pub/dripmilter.pl
has been tweaked to think that non-FQDNs (that do not match after
even doing a resolv.conf "search") or IPs (that mismatch) are
enough cause to FAIL the DRIP test.
The only way I will accept mail from a host that fails the DRIP test
is if the connection SMTP AUTHs.
You can reject email for any reason you like (many do),
but you may not be RFC compliant if you do.
Yahoo tempfails multiple RCPTs if the sender is <>,
that's not compliant either, but I doubt many would fault them for it.
Rejecting email because the HELO is wrong is likely to generate
complaints. But hey - If you're running your own server then
it's just you that you need to please. And if you run a server
for others, then as they're fond of saying on NANOG -
I invite my competitors to engage in such behavior.
Scott Nelson <scott(_at_)spamwolf(_dot_)com>
_______________________________________________
Asrg mailing list
Asrg(_at_)ietf(_dot_)org
https://www1.ietf.org/mailman/listinfo/asrg