Re: [Exim] helo_try_verify_hosts and no helo command

Top Page
This message is part of the following thread:
Mthe complete thread tree sorted by date
MPatrice Fournier at <-
 
Delete this message
Reply to this message
Author: Philip Hazel
Date:  
To: Patrice Fournier
CC: exim-users
Subject: Re: [Exim] helo_try_verify_hosts and no helo command
On Tue, 23 Jul 2002, Patrice Fournier wrote:

> According to spec.txt:
> If "helo_verify_hosts" or "helo_try_verify_hosts" is set, Exim
> refuses to accept messages from hosts that match either of them,
> unless a HELO or EHLO command is received before the MAIL command.
> Otherwise, MAIL commands are rejected with a 550 error.

That's been changed in the 4.10 specification. It now reads: 

helo_try_verify_hosts          Type: host list*                 Default: unset |
                                                                               |
    The RFCs mandate that a server must not reject a message because it        |
    doesn't like the HELO or EHLO command. By default, Exim just checks the    |
    syntax of these commands (see "helo_accept_junk_hosts" and                 |
    "helo_allow_chars" above). However, some sites like to be stricter. If the |
    calling host matches "helo_try_verify_hosts", Exim checks that the host    |
    name given in the HELO or EHLO command either:                             |
                                                                               |
     .   is an IP literal matching the calling address of the host (the RFCs   |
         specifically allow this), or                                          |
                                                                               |
     .   matches the host name that Exim obtains by doing a reverse lookup of  |
         the calling host address, or                                          |
                                                                               |
     .   when looked up using "gethostbyname()" (or "getipnodebyname()" when   |
         available) yields the calling host address.                           |
                                                                               |
    However, the EHLO or HELO command is not rejected if any of the checks     |
    fail. Processing continues, but the result of the check is remembered, and |
    can be detected later in an ACL by the "verify = helo" condition. If you   |
    want verification failure to cause rejection of EHLO or HELO, use          |
    "helo_verify_hosts" instead.                                               |
                                                                               |
helo_verify_hosts              Type: host list*                 Default: unset |
                                                                               |
    For hosts that match this option, Exim checks that the host name given in  |
    the HELO or EHLO in the same way as for "helo_try_verify_hosts". If the    |
    check fails, the HELO or EHLO command is rejected with a 550 error, and    |
    entries are written to the main and reject logs. If a MAIL command is      |
    received before EHLO or HELO, it is rejected with a 550 error.             |


> Yet, setting helo_try_verify_hosts = * still allows someone to send no
> HELO command before sending MAIL or even send an HELO which doesn't pass
> the syntax check and gets rejected but still continue with the MAIL
> command which is accepted.

Yes, that's the idea. The "try" means "don't reject, just remember the
failure". (Actually, it *will* reject for syntax errors.) 


--
Philip Hazel            University of Cambridge Computing Service,
ph10@???      Cambridge, England. Phone: +44 1223 334714.




This message was posted to the following mailing lists:
Exim-users
Mailing List Info | Nearby Messages		<-Re: [Exim] Setting config without eximon[Exim] Exim4: allow_defer/fail but not blackhole->
Tahini and Hummus and Cumin Development Archives administrated by cumin AdminsLurker (version 2.3)