On Tue, 23 Jul 2002, Patrice Fournier wrote:
> According to spec.txt:
> If "helo_verify_hosts" or "helo_try_verify_hosts" is set, Exim
> refuses to accept messages from hosts that match either of them,
> unless a HELO or EHLO command is received before the MAIL command.
> Otherwise, MAIL commands are rejected with a 550 error.
That's been changed in the 4.10 specification. It now reads:
helo_try_verify_hosts Type: host list* Default: unset |
|
The RFCs mandate that a server must not reject a message because it |
doesn't like the HELO or EHLO command. By default, Exim just checks the |
syntax of these commands (see "helo_accept_junk_hosts" and |
"helo_allow_chars" above). However, some sites like to be stricter. If the |
calling host matches "helo_try_verify_hosts", Exim checks that the host |
name given in the HELO or EHLO command either: |
|
. is an IP literal matching the calling address of the host (the RFCs |
specifically allow this), or |
|
. matches the host name that Exim obtains by doing a reverse lookup of |
the calling host address, or |
|
. when looked up using "gethostbyname()" (or "getipnodebyname()" when |
available) yields the calling host address. |
|
However, the EHLO or HELO command is not rejected if any of the checks |
fail. Processing continues, but the result of the check is remembered, and |
can be detected later in an ACL by the "verify = helo" condition. If you |
want verification failure to cause rejection of EHLO or HELO, use |
"helo_verify_hosts" instead. |
|
helo_verify_hosts Type: host list* Default: unset |
|
For hosts that match this option, Exim checks that the host name given in |
the HELO or EHLO in the same way as for "helo_try_verify_hosts". If the |
check fails, the HELO or EHLO command is rejected with a 550 error, and |
entries are written to the main and reject logs. If a MAIL command is |
received before EHLO or HELO, it is rejected with a 550 error. |
> Yet, setting helo_try_verify_hosts = * still allows someone to send no
> HELO command before sending MAIL or even send an HELO which doesn't pass
> the syntax check and gets rejected but still continue with the MAIL
> command which is accepted.
Yes, that's the idea. The "try" means "don't reject, just remember the
failure". (Actually, it *will* reject for syntax errors.)
--
Philip Hazel University of Cambridge Computing Service,
ph10@??? Cambridge, England. Phone: +44 1223 334714.
