Re: exim HELO=fully qualified host name?
On 2004-03-02 09:02:23 -0500, Derrick 'dman' Hudson wrote:
> RFC 2821, section 220.127.116.11 Extended HELLO (EHLO) or HELLO (HELO)
> The argument field contains the fully-qualified domain name of the
> SMTP client if one is available. In situations in which the SMTP
> client system does not have a meaningful domain name [...], the
> client SHOULD send an address literal
> If the client gives a domain name that is not fully-qualified, it
> violates the specification. Therefore it is bad data.
I was talking more about the resolution of the FQDN (when the client
gives a valid FQDN).
> | Same problems with machines on private networks, when NAT is used.
> Those machines could have domain names, although they might not be
> listed in the public DNS.
This is my case at home (ay.vinc17.org, which is resolvable only in
my private network, and refusing my messages just because the server
can't resolve it is a bad idea).
> They could also provide an IP address.
which would be a private address, so not more useful than a random FQDN
for the server.
> | Well, I think that requiring a FQDN (i.e. with at least a dot) is even
> | too much, as the FQDN is completely useless and most spam messages are
> | sent with a valid FQDN anyway.
> Many are sent without it. Here are some of my stats from last week :
> Helo command rejected: Don't use my own hostname (total: 72)
> Helo command rejected: Invalid name (total: 6)
> Helo command rejected: localhost? Really? Nah, fix your hosts file. (total: 4)
> Helo command rejected: need fully-qualified hostname (total: 215)
> Helo command rejected: Your software is not RFC 2821 compliant (total: 194)
> That is 491 junk messages I did not receive due to simple sanity
> checking of the HELO parameter. It works for me.
How do you know they are all junk messages if you only checked the HELO?
Before exim was fixed in Debian, several messages I'd sent were rejected
by some SMTP server.
> It is easy enough for anyone who wants to send mail to either relay it
> through a provider,
This is what I was doing until I got bored by too many problems with
my ISP's smarthost:
1) it was frequently blacklisted,
2) messages could be waiting for hours in the queue (either because
it was full of spam or because many other messages were blocked
due to timeout when trying to connect the destination server),
3) messages could be rejected if the destination server was down for
several hours (as a solution of (2)).
> or to provide a syntactically valid fully-qualified name or IP
> address that I don't consider the checks I enforce to be too strict.
> You're free to not enforce these checks on your own server if you
> don't want to.
You rules seem to be OK, at least concerning the RFC. But before
doing any check, I would do some stats first. For instance, I've
just seen in my mail that a friend of mine is using Apple Mail,
which isn't RFC 2821 compliant. Forte Agent, used by some of my
family, doesn't provide a FQDN (no dot in the HELO argument).
Ditto for Microsoft Outlook (from a message received in some
Vincent Lefèvre <firstname.lastname@example.org> - Web: <http://www.vinc17.org/> - 100%
validated (X)HTML - Acorn Risc PC, Yellow Pig 17, Championnat International
des Jeux Mathématiques et Logiques, TETRHEX, etc.
Work: CR INRIA - computer arithmetic / SPACES project at LORIA