At 16:01 -0400 2003/06/26, Walt Reed wrote:
> Well, this is kind of a tough issue when you look into it deeper. The
> older versions of the SMTP standards also state that a server must not
> reject email based on HELO data. The issue is how long do you give them
> to be compliant with newer standards?
Actually no SMTP standard says any such thing. In fact they say the
very opposite: Syntax errors must always be rejected with a permanent
501 failure code. Hostname parameters containing invalid characters are
considered syntax errors since they are impossible values for hostnames,
by definition.
Allowing arbitrary junk data from the HELO command parameter, and
including that junk in an e-mail header (all proper SMTP mailers "MUST"
include the greeting name in the "from" part of the "Received:" header)
could trigger vulnerabilities in poorly written mail readers, or even
poorly written display software (terminal emulators, windowing systems,
etc.). In fact it has happened already with other similar protocols.
(If you're thinking of RFC 1123 5.2.5, well that only suggests that the
IP address of the client host need not match the A RR retrieved from its
hostname, but of course that's B.S. too since the first part of that
section requires that it "MUST" and we must err on the side of safety
and not assume that our users can read, disect, and understand
"received" headers and that they will do so in every message they
receive).
--
Greg A. Woods
+1 416 218-0098; <g.a.woods@???>; <woods@???>
Planix, Inc. <woods@???>; VE3TCP; Secrets of the Weird <woods@???>