Re: Reverse dns checking for local machine

Top Page
Delete this message
Reply to this message
Author: Greg A. Woods
Date:  
To: Philip Hazel
CC: John Henders, exim-users
Subject: Re: Reverse dns checking for local machine
[ On Thu, August 21, 1997 at 11:12:27 (+0100), Philip Hazel wrote: ]
> Subject: Re: Reverse dns checking for local machine
>
> RFC 821 specifically forbids refusal of mail on the basis of what the
> sending host sends in the HELO/EHLO command. However, you can get Exim
> to check it. Just set the helo_verify_hosts or helo_verify_nets option.


Actually it's RFC 1123 that says this, though the folks working on the
"son-of-821" draft have merged most of the 1123 recommendations. This
is yet another of 1123's instances of the famous "Robustness Principle".
The original 1982 publication of RFC 821 says only:

    If the HELO command argument is not acceptable a 501 failure
    reply must be returned and the receiver-SMTP must stay in the
    same state.


In a corporate world justifying non-verification and early rejection by
citing the "robustness principle" is probably enough to get you fired as
a security officer.

My recollection is that many of the old 1123 (that was 1989!)
recommendations were there to appease folks who were put into the
position of non-compliance by the "new" (then) state of affairs. These
were reommendations intended to tide everyone over through a state of
incremental change as new protocols were more widely deployed. I think
by now we can depend on experts to correctly configure their software.
The number of sites that still run software incapable of conforming is
probably zero, though the number of sites run by un-trained people is
unfortunately still rather high, and there are a few so-called experts
who will use the robustness principle to justify their own intentional
non-compliance of other rules.

-- 
                            Greg A. Woods


+1 416 443-1734      VE3TCP      <gwoods@???>      <robohack!woods>
Planix, Inc. <woods@???>; Secrets of the Weird <woods@???>