On Thu, 1 Nov 2001, Leonardo Boselli wrote:
> RFC821 say ... but my exim retrun always 550 against EXPN.
> where is the fault ?
This is an area of much disagreement.
> 7.3 VRFY, EXPN, and Security As discussed in section 3.5, individual sites
> may want to disable either or both of VRFY or EXPN for security reasons.
> As a corollary to the above, implementations that permit this MUST NOT
> appear to have verified addresses that are not, in fact, verified. If a site
> disables these commands for security reasons, the SMTP server MUST
> return a 252 response, rather than a code that could be confused with
> successful or unsuccessful verification.
I think that 252 may equally well be confused with a successful
verification. After all, as the RFC points out, you only really need to
look at the first digit of the response code...
Then look at this, from RFC 2821:
3.5.3 Meaning of VRFY or EXPN Success Response
A server MUST NOT return a 250 code in response to a VRFY or EXPN
command unless it has actually verified the address. In particular,
a server MUST NOT return 250 if all it has done is to verify that the
syntax given is valid. In that case, 502 (Command not implemented)
or 500 (Syntax error, command unrecognized) SHOULD be returned. As
stated elsewhere, implementation (in the sense of actually validating
addresses and returning information) of VRFY and EXPN are strongly
recommended. Hence, implementations that return 500 or 502 for VRFY
are not in full compliance with this specification.
[but not EXPN? It's not clear.]
There may be circumstances where an address appears to be valid but
cannot reasonably be verified in real time, particularly when a
server is acting as a mail exchanger for another server or domain.
"Apparent validity" in this case would normally involve at least
syntax checking and might involve verification that any domains
specified were ones to which the host expected to be able to relay
mail. In these situations, reply code 252 SHOULD be returned.
[so 252 is a sort of "apparent validity" response. Not what you want for
a policy rejection.]
The meaning of 252 is defined as
252 Cannot VRFY user, but will accept message and attempt
delivery
Well, that's not what Exim wants to say. It hasn't done any
verification, so it doesn't know if it would accept the address or not.
Personally, I don't see much use for VRFY and EXPN in today's Internet.
They may be locally useful within an organization, but not wider.
For Exim 4 I have made some changes. Here is a comment from the code:
-----------------------------------------------------------------------
There's a table of the response codes to use in globals.c, along with the table
of names. VFRY is special. Despite RFC1123 it defaults disabled in Exim.
However, discussion in connection with RFC 821bis (aka RFC 2821) has concluded
that the response should be 252 in the disabled state, because there are broken
clients that try VRFY before RCPT. A 5xx response should be given only when the
address is positively known to be undeliverable. Sigh. Also, for ETRN, 458 is
given on refusal, and for AUTH, 503.
-----------------------------------------------------------------------
But for EXPN, it still give 550.
--
Philip Hazel University of Cambridge Computing Service,
ph10@??? Cambridge, England. Phone: +44 1223 334714.
