[Raw Msg Headers][Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: HELO [1.2.3.4] wrong policy checking



Hello.

On 12 Sep 2001 at 21:56, Eugene Crosser wrote:

> I think this is not right.  HELO string should not be checked
> as notoriously as real IP address of the peer.

RFC2505, "...often and easily forged..."

> This behavior results in rejection of mail coming from (admittedly
> misconfigured) MTAs talking to us from a private network behind a NAT
> router.

From the other side, do you _really_ want to accept this mail that 
intentionally bypasses their server :-)? Well, it depends. HELO 
Localhost, HELO Default, HELO TmpStr :-)

> to check address where check of domain was requested.  Maybe even 
domain
> should not be checked in HELO parameter?..
> 
> Any thoughts about how to fix this properly?

I understand HELO string as a good FORMAL check for "properly maintained 
mailhost". Not less, not more. Should we accept mail from "umproperly 
maintained" one? It depends.

So:

1. "Mynetwork" may give any garbage in HELO. They are not Internet 
hosts, they are just clients. OUR clients.

2. Other folks may be checked with different levels of sanity. Maximal 
level assumes FQDN resolvable to either A or MX RR. Unfortunately, many 
real WinNT servers build their "hostname" from NetBIOS machine name and 
Internet domain. "EXCHANGE_SERVER.bigrealcompany.com" definitely does 
not exist in DNS... but the "Bigrealcompany" definitely exists in 
business. So, it is not optimal (too expensive :-). Minimal level 
assumes that HELO must just have FQDN form, not more. Maybe, also TLD 
should be checked for existance (i.e., rejecting "localhost.intra" if 
not our client).

Surely, HELO must not be compared with client IP address. NAT's hiding 
several compainies, multihomed hosts, etc.

Similar model exists in Postfix. Simple Postfix policy sequence looks 
like:

"permit_mynetworks, reject_non_fqdn_helo, check_maps_rbl, 
check_relay_domains"

or (Unix chauvinists only):

"permit_mynetworks, reject_unknown_helo, check_maps_rbl, 
check_relay_domains"

But "TLD only" check is not possible in Postfix.

Alexey

-
To unsubscribe from this list: send the line "unsubscribe zmailer" in
the body of a message to majordomo@nic.funet.fi