On Fri, Sep 09, 2005 at 02:02:21AM +0100, Tony Finch wrote:
- top priority, crap like "helo xyzzy" or "ehlo oemcomputer"
is acceptable for an MSA (ater SMTP AUTH or similar), but
not from unknown strangers. It's _wrong_ for (2)821(bis).
"We" (I hope) want to harden both "hellos", among others.
At the moment this is an operational problem, not a protocol problem. The
standard, backed up by decades of practice, is too weak for an MTA to
treat the EHLO hostname with any strictness.
I beg to differ.
Rfc821 has this to say:
"HELO <SP> <domain> <CRLF>"
Entire section 3.7, especially this part:
"Whenever domain names are used in SMTP only the official names
are used, the use of nicknames or aliases is not allowed."
This paragraph in 4.1.2:
"Sometimes a host is not known to the translation function and
communication is blocked. To bypass this barrier two numeric
forms are also allowed for host "names". One form is a decimal
integer prefixed by a pound sign, "#", which indicates the
number is the address of the host. Another form is four small
decimal integers separated by dots and enclosed by brackets,
e.g., "[123.255.37.2]", which indicates a 32-bit ARPA Internet
Address in four 8-bit fields."
The glossary:
"domain"
"The hierarchially structured global character string address of a
host computer in the mail system."
Clearly the restrictions are: FQDN, or a specific numeric form but
only if there is no FQDN and communication is blocked as a result.
To be fair, I should also point out that RFC821 does not allow
labels to be two characters (or one) and/or start with a digit:
<domain> ::= <element> | <element> "." <domain>
<element> ::= <name> | "#" <number> | "[" <dotnum> "]"
<name> ::= <a> <ldh-str> <let-dig>
<ldh-str> ::= <let-dig-hyp> | <let-dig-hyp> <ldh-str>
<let-dig-hyp> ::= <a> | <d> | "-"
<let-dig> ::= <a> | <d>
<a> ::= any one of the 52 alphabetic characters A through Z
in upper case and a through z in lower case
<d> ::= any one of the ten digits 0 through 9
An additional problem is that this BNF allows "[12.34.56.78].abc.#123".
Domains were a new concept at that time, small mistakes are to be expected.
Labels less than three characters long weren't invented yet, at that time
labels starting with a digit weren't allowed. Updated BNF:
<domain> ::= <names> | <numbers>
<numbers> ::= "#" <number> | "[" <dotnum> "]"
<names> ::= <name> | <name> "." <names>
<name> ::= <name1> | <name2> | <name3>
<name1> ::= <let-dig>
<name2> ::= <let-dig> <let-dig>
<name3> ::= <let-dig> <ldh-str> <let-dig>
<ldh-str> ::= <let-dig-hyp> | <let-dig-hyp> <ldh-str>
<let-dig> ::= <a> | <d>
<a> ::= any one of the 52 alphabetic characters A through Z
in upper case and a through z in lower case
<d> ::= any one of the ten digits 0 through 9
ABNF allows a couple of short cuts:
domain = names | numbers
numbers = ("#" number) | ("[" dotnum "]")
names = *(name ".") name
name = 1*(ALPHA | DIGIT) *( *(ALPHA | DIGIT | "-") (ALPHA | DIGIT) )
("#" number is now obsoleted; need ipv6 variant in return)
I'm pretty sure there is an empty label at the top of the DNS tree, so it
probably should be corrected further:
names = *(name ".") name
change into
names = *(name ".") name "."
but that would have a really huge impact I guess.
Alex