[Raw Msg Headers][Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: HELO [] wrong policy checking


Date sent:      	Mon, 17 Sep 2001 14:42:10 +0400 (MSD)
From:           	Eugene Crosser <crosser@online.ru>
Send reply to:  	Eugene Crosser <crosser@online.ru>
Subject:        	Re: HELO [] wrong policy checking
To:             	Matti Aarnio <mea@nic.funet.fi>

> The question is somewhat different.  Systems should connect to us from
> private addresses so it may be legitimate to reject connections from
> such addresses.  BUT checking HELO parameter is different - if it has
> provate address literal (or any random junk for that matter) it does
> not mean illegitimate peer.  What I am objecting to is that peer IP
> address and HELO parameter presented by peer are currently checked the
> *same* way.  This I think is not right.

I completely agree with you. RFC2505 says:

....In an SMTP session we have 4 elements, each with a varying 
degree of trust:

   1)  "HELO Hostname"           Easily and often forged.
   2)  "MAIL From:"              Easily and often forged.
   3)  "RCPT To:"                Correct, or at least intended.
   4)  SMTP_Caller (host)        IP.src addr OK, FQDN may be OK.


So, checking criteria should be very different for IP and HELO.


Alexey Lobanov
NIC-hdl: al258-ripe
CPR, St.Petersburg
IT Department Head
CPR Institute
14, 13th Line V.O.,
St.Petersburg 199034 Russia
tel.: +7 (812) 346 82 47, +7 (812) 327 71 08
fax: +7 (812) 346 82 48, +7 (812) 327 14 08
To unsubscribe from this list: send the line "unsubscribe zmailer" in
the body of a message to majordomo@nic.funet.fi