Re: [exim] Exim server behind NAT router (and HELO)

Page principale
Supprimer ce message
Répondre à ce message
Auteur: Exim User's Mailing List
Date:  
À: Fred Viles
CC: Exim User's Mailing List
Sujet: Re: [exim] Exim server behind NAT router (and HELO)
[ On Wednesday, March 16, 2005 at 12:04:45 (-0800), Fred Viles wrote: ]
> Subject: Re: [exim] Exim server behind NAT router (and HELO)
>
> The RFC's mandate a syntax (either a valid FQDN or an IP literal),
> but don't allow the receiving MTA to reject based on the particular
> name provided. So you'd be RFC clean with
> "EHLO an.arbitrary.name.invalid".


That's simply not true at all.

The RFCs actually do require all SMTP clients to identify themselves
truthfully and accurately. The HELO/EHLO parameter _MUST_ be a valid
canonical hostname that resolves to the address its connection
originates from. There are no if's, and's, or but's about it.

However an ancient (~20-year-old) RFC that many still honour to the
letter (instead of just to the spirit, as it now deserves) also gives a
compromise to this apparently draconian check and attempts to require
servers to accept mail from clients that blatantly lie about their
identity, giving the rationale that users can detect such lies by
reading the Received headers.

Of course that doesn't mitigate the fact that the very same RFC still
requires clients to identify themselves properly -- it just makes a
compromise that seemed politically useful back in the days of the tiny
little friendly neighbourhood academic Internet that existed when that
RFC was written.

Now we all know that 99.999% of users these days don't even know what a
"received" header is or how to find it let alone understand its content,
and we also know that most users don't use any other form of integrity
checking to be sure the mail they read wasn't forged, so thus this
continues to be one of the reasons why Internet e-mail is in the sorry
state it is with phishing attacks and such growing more popular and more
successful every day (not to mention spam too ;-)

Of course RFCs may not dictate security policy so you will in fact find
servers that do verify the hostname given by the client and which do
reject transactions from clients that blatantly lie about their identity.

Some of those more picky servers are even running Exim! ;-)

- -- 
                        Greg A. Woods


H:+1 416 218-0098  W:+1 416 489-5852 x122  VE3TCP  RoboHack <woods@???>
Planix, Inc. <woods@???>          Secrets of the Weird <woods@???>