Re: [Exim] Limited EHLO/HELO checking receipee

Top Page
Delete this message
Reply to this message
Author: Exim Users Mailing List
Date:  
To: exim-users
Subject: Re: [Exim] Limited EHLO/HELO checking receipee
[ On Tuesday, May 28, 2002 at 23:51:42 (-0700), Marc MERLIN wrote: ]
> Subject: [Exim] Limited EHLO/HELO checking receipee
>
> In case this is useful to someone:
>
> Unless I'm mistaken, exim's only helo/ehlo check is the full RFC check
> (check given hostname vs hostname retrieved via a reverse lookup on the IP)


That's not what the RFC says, at least not what RFC 1123 5.2.5 requires
of the client. The check is supposed to be that the hostname given by
the client resolve to an A record giving the source address of the
client's connection.

Any check of the consistency between forward and reverse DNS is a
separate check, and though it's also mandated by other RFCs, it's
entirely unrelated to RFC 1123 5.2.5's client-side requirements.

> Anyway, the point being that full ehlo checking will reject a fair amount of
> legitimate Email.


The check you have proposed will do so, as will any check for hostname
and reverse DNS consistency.

The check that the client has met its RFC 1123 5.2.5 requirements blocks
very few legitimate mailers, though some very of those very few are VERY
large, and if you consider all e-mail from such domains to be legitimate
by definition then yes, even the basic check will reject a fair amount
of "legitimate" e-mail.

Personally I define "legitimate e-mail" in this context as that coming
from a correctly configured mailer. I don't care who the heck is
sending the message, it cannot be legitimate by definition if the mailer
forwarding it uses an illegal or invalid hostname.


> You can however do a limited check, which will get rid of all the bogus non
> domain values that virii and other junk senders give you for HELO
>
> Here's that I wrote:
>
> acl_check_rcpt:
>   deny  message   = "HELO/EHLO required by SMTP RFC"
>         condition = ${if eq{$sender_helo_name}{}{yes}{no}}

>
>   deny  message   = "Invalid domain or IP given in HELO/EHLO"
>        !condition = ${if match{$sender_helo_name}{\\\.}{yes}{no}}


You'd best also deny messages from mailers trying to use "localhost" or
"localdomain" or some combination or permutation there of....

There are also strict rules about what characters are allowed, and the
min/max lengths of domain labels, in syntactically correct hostnames.
These latter tests should be enforced 100% of the time.

--
                                Greg A. Woods


+1 416 218-0098; <gwoods@???>; <g.a.woods@???>; <woods@???>
Planix, Inc. <woods@???>; VE3TCP; Secrets of the Weird <woods@???>