[Mimedefang] Rejecting forged senders - comments?

David F. Skoll dfs at roaringpenguin.com
Wed Sep 20 10:18:26 EDT 2006

John Rudd wrote:

>   An SMTP server MAY verify that the domain name parameter in the EHLO
>   command actually corresponds to the IP address of the client.
>   However, the server MUST NOT refuse to accept a message for this
>   reason if the verification fails: the information about verification
>   failure is for logging and tracing only.

> You MUST NOT reject based on the presence of bogus host information in
> the HELO/EHLO command.

That is not correct; I come down on Jan-Pieter's side.

You MUST NOT refuse a message if the HELO hostname does not resolve
to the IP address of the client.

But you can refuse the message for other reasons.  For example,
on our server, if someone HELOs as "*.roaringpenguin.com", we reject
the mail.  We don't reject it because the IP address doesn't match, but
rather because we know the client is lying.  We have complete knowledege
of all machines in the roaringpenguin.com domain, so we know with 100%
certainty when a machine is lying.

This is a very subtle distinction, but nevertheless is permitted
behaviour, I believe.  The wording in the RFC is designed to protect
SMTP clients behind NAT boxes or that don't know their on FQDN, not to
protect spammers who misguidedly believe that HELOing as their victim
gets them a free ride past a spam filter.



More information about the MIMEDefang mailing list