[Mimedefang] Revisit: Filtering on HELO
philipp_subx at redfish-solutions.com
Sun Mar 25 22:05:03 EDT 2007
Jeff Rife wrote:
> As long as the hostname or address literal in the "HELO" is a public
> address, then it makes no difference if that name in any way matches
> the interface from which the connection comes.
Ok, putting this issue to bed for good. Quoting RFC-1123:
5.2.5 HELO Command: RFC-821 Section 3.5
The sender-SMTP MUST ensure that the <domain> parameter in a
HELO command is a valid principal host domain name for the
client host. As a result, the receiver-SMTP will not have to
perform MX resolution on this name in order to validate the
The HELO receiver MAY verify that the HELO parameter really
corresponds to the IP address of the sender. However, the
receiver MUST NOT refuse to accept a message, even if the
sender's HELO command fails verification.
Verifying the HELO parameter requires a domain name lookup
and may therefore take considerable time. An alternative
tool for tracking bogus mail sources is suggested below
(see "DATA Command").
Note also that the HELO argument is still required to have
valid <domain> syntax, since it will appear in a Received:
line; otherwise, a 501 error is to be sent.
When HELO parameter validation fails, a suggested
procedure is to insert a note about the unknown
authenticity of the sender into the message header (e.g.,
in the "Received:" line).
Hmm. Or not. Ok, that was less conclusive than it should have
been... Well, the operative sentence is "The HELO receiver MAY
verify that the HELO parameter really corresponds to the IP address
of the sender."
How else to do that in the case of an address-literal than checking
that the EHLO argument matches the address reported by getsockname()???
Unless you're requiring the remote server to have complete knowledge
of all interfaces on the originator (i.e. client) of the connection...
which seems an incredibly bad idea.
It's also not uncommon (though a waste of address space, IMO)
for a host to have multiple virtualized addresses, each corresponding
to a different domain.
In that case, they are quite distinct and deliberately *not*
More information about the MIMEDefang