[unisog] I need help.

Valdis.Kletnieks at vt.edu Valdis.Kletnieks at vt.edu
Thu Jul 18 20:01:38 GMT 2002


On Thu, 18 Jul 2002 07:54:50 MDT, "William D. Colburn (aka Schlake)" said:

> I wrote a milter that checks things.  If a message
>   1) contains only HTML content AND
>   2) does not have a reverse IP OR
>   2) gave a HELO/EHLO that does not match its reverse ip

(OK.. Time to put my e-mail geek hat on and cite chapter and verse ;)

Hopefully on the first (2), if you get a timeout on the DNS query you do a
tempfail (4xx) rather than a 5xx error.

Also, on the second (2) (should be 3?), note that there are a *NUMBER* of
perfectly valid cases for the HELO not matching (for instance, this laptop
always asserts the same hostname on the HELO, but if I happen to be
DHCP'ed on wireless or dialed up from home, the PTR won't match).

RFC2821 has this to say in 4.1.1.1:
   These commands are used to identify the SMTP client to the SMTP
   server.  The argument field contains the fully-qualified domain name
   of the SMTP client if one is available.  In situations in which the
   SMTP client system does not have a meaningful domain name (e.g., when
   its address is dynamically allocated and no reverse mapping record is
   available), the client SHOULD send an address literal (see section
   4.1.3), optionally followed by information that will help to identify
   the client system.  y The SMTP server identifies itself to the SMTP
   client in the connection greeting reply and in the response to this
   command.

and in 4.1.4:
   An SMTP server MAY verify that the domain name parameter in the EHLO
   command actually corresponds to the IP address of the client.
   However, the server MUST NOT refuse to accept a message for this
   reason if the verification fails: the information about verification
   failure is for logging and tracing only.

Christian Huietma did a study a while ago, and found that only about 30%
of the DNS namespace had correct and valid PTR entries - you might want to
think about that when rejecting mail just because the PTR isn't valid.

Oh... and you might want to ask yourself what happens for smaller sites, where
www.foo.com and mail.foo.com point at the same address - and the PTR points at
www.foo.com or realboxname.foo.com).  Issues with CNAMEs and MX entries and
the possibility of hosting multiple sites on one physical host make it even
more interesting.

On the other hand, at least you're not blocking 'MAIL FROM:<>'.  Or if you
are, at least being discreet about it. ;)
-- 
				Valdis Kletnieks
				Computer Systems Senior Engineer
				Virginia Tech

-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 226 bytes
Desc: not available
Url : http://www.dshield.org/pipermail/unisog/attachments/20020718/4f2e7155/attachment-0006.bin


More information about the unisog mailing list