RE: [Exim] Exim 4.02 new "feature"

Top Page
Delete this message
Reply to this message
Author: Jeffrey Wheat
Date:  
To: Jeff Mcadams, dana_booth
CC: exim-users
Subject: RE: [Exim] Exim 4.02 new "feature"
This is from doc/misc/migration in the Bind 9.2.0 distribution:

4. Unrestricted Character Set

BIND 9 does not restrict the character set of domain names - it is
fully 8-bit clean in accordance with RFC2181 section 11.

It is strongly recommended that hostnames published in the DNS follow
the RFC952 rules, but BIND 9 will not enforce this restriction.

Historically, some applications have suffered from security flaws
where data originating from the network, such as names returned by
gethostbyaddr(), are used with insufficient checking and may cause a
breach of security when containing unexpected characters; see
<http://www.cert.org/advisories/CA-96.04.corrupt_info_from_servers.html>
for details. Some earlier versions of BIND attempt to protect these
flawed applications from attack by discarding data containing
characters deemed inappropriate in host names or mail addresses, under
the control of the "check-names" option in named.conf and/or "options
no-check-names" in resolv.conf. BIND 9 provides no such protection;
if applications with these flaws are still being used, they should
be upgraded.


Regards,
Jeff

-----Original Message-----
From: Jeff Mcadams [mailto:jeffm@iglou.com]
Sent: Wednesday, March 27, 2002 11:48 AM
To: dana_booth
Cc: exim-users@???
Subject: Re: [Exim] Exim 4.02 new "feature"


Also sprach dana_booth
>However... In this particular instance, (the implementation of MTA
>software) Microsoft is still in the minority. I'm begging you guys,
>please don't start allowing underscores or other illegal host/domain
>name characters just because you have a reject log full of Microsoft
>hits. There must be a way to make this more public; to force those who
>"administer" Microsoft software to come into compliance.



I have mixed feelings...practically speaking, as a business, rejecting underscores (in particular) is a sure recipe for business suicide for an ISP.

On another hand, I firmly support standards compliance...as such, I would support Phillip in making the default to be compliant with the RFC's (not allowing underscores, for example), and this is what he has done.

On yet another hand, though (three hands?), standards are all about supporting interoperability. Thus the "Be liberal in what you accept, and conservative in what you send" concept. Allowing underscores enhances interoperability in almost all cases, and given that the HELO hostname is really (practically) not used for anything, then accepting underscores really does no practical harm.

I also look at this situation and consider that 2821 is pointing to a section of an RFC about DNS as the rational for this restriction.  Given that, I think it would be wise to fix DNS servers (particularly BIND as its the 800 lb. gorilla in that category) to not allow underscores by default (which I don't *think* is the case at this point, but would be happy to be shown to be wrong on this point).  Once the DNS system enforces the no underscores concept in a more widespread fashion, then it will be much more reasonable/practical to reject mail based on having underscores in the HELO name.
--
Jeff McAdams                            Email: jeffm@???
Head Network Administrator              Voice: (502) 966-3848
IgLou Internet Services                        (800) 436-4456


--

## List details at http://www.exim.org/mailman/listinfo/exim-users Exim details at http://www.exim.org/ ##


---
Incoming mail is certified Virus Free.
Checked by AVG anti-virus system (http://www.grisoft.com).
Version: 6.0.343 / Virus Database: 190 - Release Date: 3/22/2002


---
Outgoing mail is certified Virus Free.
Checked by AVG anti-virus system (http://www.grisoft.com).
Version: 6.0.343 / Virus Database: 190 - Release Date: 3/22/2002