[Mimedefang] OT: New Sendmail spam block
Richard Laager
rlaager at wiktel.com
Thu Mar 24 15:50:30 EST 2005
On Thu, 2005-03-24 at 12:35 -0600, Ben Kamen wrote:
> I've now run into 2 universities that are blocking email based on invalid
> hostnames at the HELO sequence.
I assume you mean they're blocking for the use of a domain argument to
the HELO command that does not resolve.
> > The sender-SMTP MUST ensure that the <domain> parameter in a HELO command
> > is a valid principal host domain name for the client host. As a result, the
> > receiver-SMTP will not have to perform MX resolution on this name in order
> > to validate the HELO parameter.
This is clear on what you're supposed to be sending. RFC 821 also says
that aliases and nicknames are not allowed for domains.
> > The HELO receiver MAY verify that the HELO parameter really corresponds to
> > the IP address of the sender. However, the receiver MUST NOT refuse to
> > accept a message, even if the sender's HELO command fails verification.
This is totally different type of verificiation.
RFC 2821 says:
3.6 Domains
Only resolvable, fully-qualified, domain names (FQDNs) are permitted
when domain names are used in SMTP. In other words, names that can
be resolved to MX RRs or A RRs (as discussed in section 5) are
permitted, as are CNAME RRs whose targets can be resolved, in turn,
to MX or A RRs. Local nicknames or unqualified names MUST NOT be
used. There are two exceptions to the rule requiring FQDNs:
- The domain name given in the EHLO command MUST BE either a primary
host name (a domain name that resolves to an A RR) or, if the host
has no name, an address literal as described in section 4.1.1.1.
This is absolutely clear that you must be using a domain name which is
fully-qualified and resolvable.
I block unqualified names outright, as well as bare IP addresses. IP
addresses that are enclosed in brackets are accepted, as long as they're
not forging one of my IP addresses.
I add 5 points to the SpamAssassin score for unresolvable domain names
to HELO. This is done for practical reasons, not because the standard
doesn't allow me to block outright.
--
Richard Laager <rlaager at wiktel.com>
Wikstrom Telecom Internet
More information about the MIMEDefang
mailing list