On Thu, 17 Jun 2004 09:56:26 -0400 (EDT), Richard Welty wrote:
> On Thu, 17 Jun 2004 08:40:01 -0400 David Brodbeck
> <DavidB@???> wrote:
> > I based that comment on this paragraph of RFC 2821, from section 4.1.4:
>
> > An SMTP server MAY verify that the domain name parameter in the EHLO
> > command actually corresponds to the IP address of the client.
> > However, the server MUST NOT refuse to accept a message for this
^^^^^^^
> > reason if the verification fails: the information about verification
> > failure is for logging and tracing only.
>
> and i've long wondered why that paragraph is in there, seeing as the
> RFC doesn't attempt to prescribe any other site security policies.
A bit further up in the RFC it says that a sending server MUST use the FQDN
or a bracketted IP address. Now if a server doesn't comply with that, surely
whatever it's sending is just random noise and can't be regarded as a
message ? Checking that the HELO/EHLO parameter matches the connecting IP
address is fraught with interesting difficulties (what if the DNS is
broken?), but obvious brokeness like a single word HELO/EHLO parameter or a
plain IP address (HELO a.b.c.d instead of HELO [a.b.c.d]) is a clear
indication that what's being sent isn't email according to the RFC.
I'm required to offer Internet mail as a service to my users. Not something
that looks like it, but isn't.
--
Mike Meredith, Senior Informatics Officer
University of Portsmouth: Hostmaster, Postmaster and Security
Most politicians think that "ethics" is a county in the south of England.
