Re: 7. BCP - Mail Administrators: Checking HELO (was: [Asrg] 0. General

On 2003-08-31 02:09:34 +0200, Brad Knowles wrote:
> At 11:19 PM +0200 2003/08/30, Peter J. Holzer wrote:
>
> > RFC 2821 requires the parameter to be either an FQDN or an address
> > literal. A client which sends an unqualified hostname is in violation of
> > the RFC without any good reason. (broken software and lazy
> > administrators are not good reasons, IMHO)
>       I don't see this requirement in 2821:
3.6 Domains

   Only resolvable, fully-qualified, domain names (FQDNs) are permitted
   when domain names are used in SMTP.  In other words, names that can
   be resolved to MX RRs or A RRs (as discussed in section 5) are
   permitted, as are CNAME RRs whose targets can be resolved, in turn,
   to MX or A RRs.  Local nicknames or unqualified names MUST NOT be
   used.  There are two exceptions to the rule requiring FQDNs:

   -  The domain name given in the EHLO command MUST BE either a primary
      host name (a domain name that resolves to an A RR) or, if the host
      has no name, an address literal as described in section 4.1.1.1.

>       Note that the RFC explicitly states that the IPv4 address should 
> be in square brackets.  Which is precisely the kind of behaviour that 
> I believe you said that you were refusing.
I didn't say I'm refusing anything. I listed four different tests one
could apply to the hello parameter and tried to identify who would be
affected by those tests.

In the first two tests, address literals are allowed, in the other two
they are forbidden.


> > Any reason why it must identify itself as [10.0.1.5]? Why not with the
> > external IP address or as bradknowles.dyndns.net?
>       If it's behind a NAT, how would it know the external DNS name? 
> If that IP address on the NAT device is dynamically assigned and the 
> machine is not an intelligent host running software capable of 
> updating a dynamic DNS record (as 99.999% of all NAT/router devices 
> are almost certainly going to be), then how would the internal host 
> know what this external DNS name is?
The external name stays fixed. You register a name at a dynamic dns
provider (I am using dyndns.org (sorry, not dyndns.net, that seems to be
something else) as an example here because a few people I know use it -
there are others). Then you configure your mail server to always use
that name in the helo command. Finally you run a program which detects
your real address (e.g., by connecting to http://checkip.dyndns.org/)
and updates the DNS record at regular intervals.

Yes, this works only with forward lookups, not with reverse lookups.

        hp

-- 
   _  | Peter J. Holzer    | Humor ohne Emoticons ist trockener Humor.
|_|_) | Sysadmin WSR       | 
| |   | hjp(_at_)hjp(_dot_)at         | -- Toni Grass in aip
__/   | http://www.hjp.at/ |

pgpNYQeS8qzk0.pgp
Description: PGP signature