On 2007-03-26 04:41:38 -0400, Hector Santos wrote:
Case in point, The Thunderbird MUA violates the EHLO [literal] when the
client is residing on a private address behind a NAT. TBird attempts to
get the FQDN and if not available, it uses the domain literal for the
client machine. If a server is checking for strict IP correctness, it
might fail this transaction.
Thunderbird is - as you say - a MUA, not an MTA. Conceptually it speaks
the SUBMISSION protocol, not the (general) SMTP protocol. Although the
protocols are technically identical, the requirements are very
different. An MX might reasonably expect any SMTP client to know its own
host name and IP address and fail a transaction where the client sends
a bogus hostname or IP address in the EHLO. A submission server OTOH
cannot expect this in the general case and shouldn't fail a transaction
because of that. There is also little point in doing this because it it
has other, stronger, means for identifying legitimate client at its
disposal (e.g., SMTP AUTH).
Our solution for current clients was to offer a local policy option to
relax EHLO domain literal checking for SUBMIT (port 587) transactions
because there is an inherent expectation and requirement for a pending
ESMTP AUTH login. Otherwise under a port 25 connection, the invalid
domain literal IP will be rejected (by default).
Yep. Using port 587 for submission has its advantages.
hp
--
_ | Peter J. Holzer | I know I'd be respectful of a pirate
|_|_) | Sysadmin WSR | with an emu on his shoulder.
| | | hjp(_at_)hjp(_dot_)at |
__/ | http://www.hjp.at/ | -- Sam in "Freefall"
signature.asc
Description: Digital signature