Re: [Exim] 451-Invalid HELO

Αρχική Σελίδα
Delete this message
Reply to this message
Συντάκτης: Kjetil Torgrim Homme
Ημερομηνία:  
Προς: exim-users
Αντικείμενο: Re: [Exim] 451-Invalid HELO
On Thu, 2004-04-29 at 17:12 +0100, Andy Saunders wrote:
> On Thu, 29 Apr 2004 at 12:14 +0100, Alan J. Flavell wrote:
> > It sort-of gives the site an opportunity to fix the problem, doesn't
> > it?
>
> That was the reasoning behind choosing 'defer'. Malware will probably
> not retry, and legitimate senders have a chance to fix their server in
> order to get their mail through.
>
> The acl has been live for around 8 weeks and rejects over one million
> recipients per week. During this time, only two senders (that I know
> of) have had trouble, and in both cases the sender has fixed his/her
> server. Two trouble tickets against 8 million worms/spams seems a fair
> trade to me.


the question is which is more useful for the user: an immediate error
message, or a message some hours later about the e-mail being delayed
for some obscure reason? I actually tend to think the former.

your one million number is probably slightly inflated since it counts
every attempt at delivery. we do outright rejection, and reject half a
million per week due to either missing or syntactically incorrect
HELO/EHLO (roughly 10% of our volume).

we've had quite a few cases of Exchange admins having to fix their
server's hostname, probably a couple every week. I think everyone who's
been in touch with us have chosen to comply with standards so that they
can communicate with us and others.

we tried to reject e-mail where $sender_helo_name didn't resolve (unless
given as a bracketed IP address). this was a disaster, and we reverted
the change after an hour or two. lots and lots of servers are using
internal names which are invalid on the Internet at large. I recommend
you don't repeat our mistake -- it is, of course, not allowed to do such
rejection according to the RFC.

this is what our ACL looks like (in rcpt, after postmaster is accepted):

  deny  hosts = ! +relay_from_hosts : *
        message = \
          Improper HELO/EHLO: "$sender_helo_name"\n\
          The HELO/EHLO argument must either be the fully qualified\n\
          name of the sending host, or its IP address (in square brackets).\n\
          See http://www.usit.uio.no/it/epost/system/ for more information.
        condition = ${if or {\
                # Sending host claims to be this host's name.
          {eq {$sender_helo_name}{smtp.uio.no}}\
                # Sending host claims to have this host's IP address.
          {eq {$sender_helo_name}{129.240.10.9}}\
          {eq {$sender_helo_name}{[129.240.10.9]}}\
                # Helo argument isn't fully qualified.
          {!match {$sender_helo_name}{\\.}}\
        }{yes}{no}}


I intend to change the hardcoded check for smtp.uio.no and IP into a
check for all our host names, domain names and IP addresses. note that
we accept IP addresses without brackets, I should change that, too.
another misfeature of this ACL is that the same error text is given when
no HELO/EHLO was presented ($sender_helo_name == ""), which can be quite
confusing for the remote postmaster, or even first level support here.
--
Kjetil T. (one of the postmasters at University of Oslo, Norway)