[Mimedefang] OT: New Sendmail spam block

Richard Laager rlaager at wiktel.com
Thu Mar 24 15:50:30 EST 2005 

On Thu, 2005-03-24 at 12:35 -0600, Ben Kamen wrote:
> I've now run into 2 universities that are blocking email based on invalid
> hostnames at the HELO sequence.

I assume you mean they're blocking for the use of a domain argument to
the HELO command that does not resolve.

> > The sender-SMTP MUST ensure that the <domain> parameter in a HELO command
> > is a valid principal host domain name for the client host. As a result, the
> > receiver-SMTP will not have to perform MX resolution on this name in order
> > to validate the HELO parameter.

This is clear on what you're supposed to be sending. RFC 821 also says
that aliases and nicknames are not allowed for domains.

> > The HELO receiver MAY verify that the HELO parameter really corresponds to
> > the IP address of the sender. However, the receiver MUST NOT refuse to
> > accept a message, even if the sender's HELO command fails verification.

This is totally different type of verificiation.

RFC 2821 says:

3.6 Domains

   Only resolvable, fully-qualified, domain names (FQDNs) are permitted
   when domain names are used in SMTP.  In other words, names that can
   be resolved to MX RRs or A RRs (as discussed in section 5) are
   permitted, as are CNAME RRs whose targets can be resolved, in turn,
   to MX or A RRs.  Local nicknames or unqualified names MUST NOT be
   used.  There are two exceptions to the rule requiring FQDNs:

   -  The domain name given in the EHLO command MUST BE either a primary
      host name (a domain name that resolves to an A RR) or, if the host
      has no name, an address literal as described in section 4.1.1.1.


This is absolutely clear that you must be using a domain name which is
fully-qualified and resolvable.

I block unqualified names outright, as well as bare IP addresses. IP
addresses that are enclosed in brackets are accepted, as long as they're
not forging one of my IP addresses.

I add 5 points to the SpamAssassin score for unresolvable domain names
to HELO. This is done for practical reasons, not because the standard
doesn't allow me to block outright.

-- 
Richard Laager <rlaager at wiktel.com>
Wikstrom Telecom Internet

More information about the MIMEDefang mailing list