[Raw Msg Headers][Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: HELO [1.2.3.4] wrong policy checking



On 13-Sep-01 at 16:48, Matti Aarnio (mea@nic.funet.fi) wrote:
> On Wed, Sep 12, 2001 at 09:56:41PM +0400, Eugene Crosser wrote:
> > If on incoming connection remote gives us HELO with IP literal that
> > belongs to a forbidden network it results in rejection of mail.
...
>      I don't (anymore) list private networks as rejected in the
>      boilerplate   smtp-policy.src   file.
>
>      If you have an early version in use, perhaps you need to
>      remove those few lines ?

Yes, I was using old boilerplate (as it was slightly customized I did not
care to tr-customize a fresher one).

>      Systems talking from behind NAT can be fully legitimate, no
>      reason to reject them.

The question is somewhat different.  Systems should connect to us from
private addresses so it may be legitimate to reject connections from
such addresses.  BUT checking HELO parameter is different - if it has
provate address literal (or any random junk for that matter) it does
not mean illegitimate peer.  What I am objecting to is that peer IP
address and HELO parameter presented by peer are currently checked the
*same* way.  This I think is not right.

> > Any thoughts about how to fix this properly?
> 
>      Fix the   smtp-policy.src  boilerplate file ?

This obviously helps but is it "proper"?

Eugene
-
To unsubscribe from this list: send the line "unsubscribe zmailer" in
the body of a message to majordomo@nic.funet.fi