Re: [exim] syntactically invalid argument(s) - rejected HELO

Top Page
Delete this message
Reply to this message
Author: Exim User's Mailing List
Date:  
To: Marc Perkel
CC: Exim User's Mailing List, Igor Robul
Subject: Re: [exim] syntactically invalid argument(s) - rejected HELO
[ On Thursday, December 16, 2004 at 08:28:18 (-0800), Marc Perkel wrote: ]
> Subject: Re: [exim] syntactically invalid argument(s) - rejected HELO
>
> Quite frankly - I'm not sure that the HELO has any useful functionality
> in the first place and I wonder why it even exists.


The greeting exchange between SMTP client and server is an essential
part of the protocol

The server _MUST_ identify itself to the client and the client _MUST_
identify itself to the server and they _MUST_ use their canonical
hostnames when doing so.

It started out as a means to help ensure that routing problems don't
lead to seriously dangerous and hard-to-stop loops. Any SMTP server
implementation worth its salt will recognize and refuse all forms of its
own name to avoid talking to itself. Clients should also recognize
their own names in the 220 greeting and refuse to talk to themselves.

Furthermore since the onset of massive abuse of SMTP on the public
Internet about a decade or more ago the verification of hostnames has
become an essential task for all SMTP operators to ensure that the
hostnames in the logs and in the received headers the mailer generates
are true and valid such that the audit trails they are part of are at
least minimally believable and useful.

It also should go without saying these days that every server must
refuse to accept connections from any client that attempts to use any
form of the server's own name(s) in order to prevent cases of mistaken
identity, either by its own internal access controls (which are often
based on hostnames), or by any similar mechanism used in _any_ software
anywhere down the line that might process the messages received, or
indeed even to help humans not make such mistakes when they read logs
and headers.

Maybe someday we'll use strict cryptographic authentication and
certificates for all SMTP connections, or at least some kind of web of
trust model. However until then the DNS is all we've got to identify
each other's SMTP hosts. And if you want to be even more careful about
how you verify a hostname then you can require use of the reverse DNS
too (and it shouldn't be so painful any more now that some big operators
have paved the way!). Just remember though that in an insecure system
like the DNS it takes a three-way handshake to verify any information to
even the barest minimum level of confidence; i.e. if you start with a
hostname then it must resolve to an A record which has a target address
which in turn gives a PTR which has the same target hostname (in the
same way that when you start with an IP address it must resolve to a PTR
that must point to a hostname which has the same IP address).


Now, as for which characters are valid parts of hostnames, well that's
not an SMTP issue at all -- it's a DNS issue. The limitations of domain
name syntax, including the strict elimination of underscores, are
necessary even today given the character set and data interchange issues
all participants on the Internet must take into account. Underscores
simply cannot be translated into all computer character sets in use and
so they MUST NOT be used in the DNS, especially not for hostnames. At
this level uniformity and conformity are _essential_ to interoperability.


Also, this isn't really about "one man fixing the world" -- most of the
world which is currently breaking the rules can be fixed by a very small
number of people, in the right place and at the right time. In much of
the software world, especially in anything related to unix, we've been
very accustomed to giving users all the rope we can dream up so they can
do anything they please with it. However its obvious that the vast
majority of users, including most system managers, don't expect their
computers to do stupid things or to let them do stupid things to or with
those computers. If the majority of mail server software in use were to
refuse to even start up if the host it's running on has an invalid
hostname then system managers would be very quick to fix their
hostnames. Of course these kinds of rules _should_ be uniformly
implemented at the lowest levels so that those ignorant of the rules
can't break them and can't fall back on the lame excuse of "well the
system lets me do it that way, so why can't I do it that way?"


Everything is connected and so it's lame approaches to these issues such
as saying "allowing underscores in SMTP greetings isn't going to hurt
anything" which are exactly what does cause grief -- but maybe not to
whom you think it does. If more than a very few sites relax their
rules, even just temporarily, then stubborn idiots the world over will
get the idea that they can break these rules all the time and then those
who use use systems which simply cannot relax their rules are hurt.
That might be exactly what the likes of a monopoly might wish upon those
of us who are not yet under their thumb, but none of the rest of us
should be letting any monopoly get away with it, not even for a moment.

So, even if we can't get the right person to make the one fix that will
have the most effect then the more of us that badger away to get the
misconfigured systems corrected then the easier it is to "fix the world"
-- many hands make light work.


-- 
                        Greg A. Woods


+1 416 218-0098                  VE3TCP            RoboHack <woods@???>
Planix, Inc. <woods@???>          Secrets of the Weird <woods@???>