[Top] [All Lists]

Re: Site policy vs. HELO

2005-03-09 10:59:04

On 3/8/2005 5:39 PM, Hector Santos wrote:

1) Check for syntax compliance
2) Check for Domain Literal IP match
3) Check for local domain spoofs

1) Check for syntax compliance
2) Per 2821, delay validation until Forwarding path is known.

These are pretty benign tests, and should certainly be optional for
administrators. But that doesn't change my point, experimentation shows
there are just too many poorly-written and poorly-managed SMTP boxes out
there for binary pass/fail reject to be used in the common case.

It's also a violation of the robustness principle, which is what most
folks here are probably most concerned with, although I think that's
really an operational issue in the case of SMTP in particular, and
therefore falls within administrator prerogative.

An example of the problem: RFC2821 $2.3.5 states that "A domain name that
is not in FQDN form is no more than a local alias. Local aliases MUST NOT
appear in any SMTP transaction." In a strict rule-set, therefore, mail
that uses non-FQDN domain names in HELO or MAIL-FROM or anywhere else can
be rejected because it's not allowed. Unfortunately, experimentation shows
that there's a fair chunk of legitimate mail that uses non-FQDNs.

The big realization for me here is that my world-view is biased towards
well-run networks, and that when you get into the lower-middle class of
network users, all those assumptions go out the window.

Eric A. Hall                              
Internet Core Protocols

<Prev in Thread] Current Thread [Next in Thread>