[Mimedefang] Revisit: Filtering on HELO

Philip Prindeville philipp_subx at redfish-solutions.com
Sun Mar 25 22:05:03 EDT 2007

Jeff Rife wrote:
> As long as the hostname or address literal in the "HELO" is a public 
> address, then it makes no difference if that name in any way matches 
> the interface from which the connection comes.

Ok, putting this issue to bed for good.  Quoting RFC-1123:

      5.2.5  HELO Command: RFC-821 Section 3.5

         The sender-SMTP MUST ensure that the <domain> parameter in a
         HELO command is a valid principal host domain name for the
         client host.  As a result, the receiver-SMTP will not have to
         perform MX resolution on this name in order to validate the
         HELO parameter.

         The HELO receiver MAY verify that the HELO parameter really
         corresponds to the IP address of the sender.  However, the
         receiver MUST NOT refuse to accept a message, even if the
         sender's HELO command fails verification.

              Verifying the HELO parameter requires a domain name lookup
              and may therefore take considerable time.  An alternative
              tool for tracking bogus mail sources is suggested below
              (see "DATA Command").

              Note also that the HELO argument is still required to have
              valid <domain> syntax, since it will appear in a Received:
              line; otherwise, a 501 error is to be sent.

              When HELO parameter validation fails, a suggested
              procedure is to insert a note about the unknown
              authenticity of the sender into the message header (e.g.,
              in the "Received:"  line).

Hmm.  Or not.  Ok, that was less conclusive than it should have
been...  Well, the operative sentence is "The HELO receiver MAY
verify that the HELO parameter really corresponds to the IP address
of the sender."

How else to do that in the case of an address-literal than checking
that the EHLO argument matches the address reported by getsockname()???

Unless you're requiring the remote server to have complete knowledge
of all interfaces on the originator (i.e. client) of the connection...
which seems an incredibly bad idea.

It's also not uncommon (though a waste of address space, IMO)
for a host to have multiple virtualized addresses, each corresponding
to a different domain.

In that case, they are quite distinct and deliberately *not*


More information about the MIMEDefang mailing list