[Mimedefang] Revisit: Filtering on HELO

Philip Prindeville philipp_subx at redfish-solutions.com
Mon Mar 26 19:24:05 EDT 2007

David F. Skoll wrote:
> Philip Prindeville wrote:
>>> Why is it incorrect?  A multihomed host can call itself any of its
>>> IP addresses.
> [...]
>> It's incorrect because the originating machine might
>> be hosting several logic, distinct domains, each with
>> its own IP address... which are *not* interchangeable.
> You didn't answer the question:  WHY is it incorrect for a multihomed
> machine to HELO as "foo.example.com" even if it is making the connection
> over the interface whose IP address resolves as "bar.example.com"?

What if it's misbehaving?  What if there is a delayed error
that needs to be reported manually?

What if someone does something that ends up causing that
particular domain or IP to be blacklisted?  Do you want to
punish all domains on that host, even if they are separated

What if host A is temporarily also being hosted on host B
because of a bad motherboard, so the owners of host B
clone an ethernet interface and assign address A to it?
Then while host A is co-residing with host B, someone on
host B does something bad.

Should host A also be punished?  Perhaps continuing even
after being moved back onto their own hardware???

I remember the time that someone in my CIDR block did
something, and our whole CIDR block was blacklisted.

I was really pissed...  took 5 days to get only the offending
host address blocked instead of the whole CIDR block.

> It might offend you.  You might *think* it's wrong.  But that doesn't
> make it wrong; a machine is perfectly within its rights to do that.

Assuming you know things about the remote host that you
don't *is* wrong.

It's ill-formed logic.

When is acting on uncertain principles ever the right thing
to do?

>> The server (the one receiving the HELO) can't make
>> any valid assumptions about whether the client is truly
>> multihomed (and all addresses are equivalent), or if
>> it has a bunch of cloned interfaces, each with a unique
>> address and a separate instance of the MTA running
>> on each (and each domains' MX pointing to *just one*
>> IP address on that multihomed machine, not ALL of
>> them).
> The server shouldn't worry its pretty little head over such things.
> Except in blatant cases of obvious lying (eg, client claiming to be
> server's public IP address), the server has no right to impose
> assumptions about what a client should use as its HELO name.
> Regards,
> David.

That cuts both ways.

If you are paranoid (and I'll never deny anyone their right
to be paranoid), then by the same token they have no way
of knowing that the connection originating from A.A.A.A
came from a multihomed host that also has interface B.B.B.B.

You don't know it's lying...  But you have no way of knowing
it's telling the truth, either.

So if you're being paranoid, then it's easier to assume it's lying.


More information about the MIMEDefang mailing list