On Mon, Jul 18, 2011 at 07:41:09AM -0500, Les Mikesell wrote: > On 7/18/11 5:43 AM, Stephen Harris wrote: > >>> RFC2821 says: > >>> - The domain name given in the EHLO command MUST BE either a primary > >>> host name (a domain name that resolves to an A RR) or, if the host > >>> has no name, an address literal as described in section 4.1.1.1. > >>> > >>> So, pretty much, HELO or EHLO greeting _must_ match to an IP. > >>> > >>> (RFC821 actually wanted the HELO to match the connecting host, but > >>> 2821 just says it must be an A record or an address literal). > Can you point me to the section? I don't see anything there about the hostname > having to match an interface address or being allowed to reject if it isn't - or > even any advice on how clustered hosts representing one mail domain should > represent themselves. I think you think I'm disagreeing with you; I'm not. I'm agreeing with you. The RFCs don't require the SMTP server to match the interface IP address. Note that RFC821 has been obsoleted and replaced with 2821. Anyone programming to 821 requirements is doing it wrong. In fact 2821 has been replaced with 5321 5321 says 2.3.5 [...] The domain name given in the EHLO command MUST be either a primary host name (a domain name that resolves to an address RR) or, if the host has no name, an address literal, as described in Section 4.1.3 and discussed further in the EHLO discussion of Section 4.1.4. I think that reference to 4.1.4 should really be 4.1.1.1... 4.1.1.1. Extended HELLO (EHLO) or HELLO (HELO) These commands are used to identify the SMTP client to the SMTP server. The argument clause contains the fully-qualified domain name of the SMTP client, if one is available. In situations in which the SMTP client system does not have a meaningful domain name (e.g., when its address is dynamically allocated and no reverse mapping record is available), the client SHOULD send an address literal (see Section 4.1.3). You only need to follow 5321 requirements which do _not_ require the host to identify it as matching the specific interface; it merely needs to identify as a valid A record (or address literal) for the client system. There's nothing to say that the client system need be listening to port 25 (or be open to port 25 connections; firewalls for example), so anyone performing HELO (or EHLO) address verification is pretty much limited to the 2.3.5 requirement; that the passed name is _a_ valid name. Which is, AFAIK, all postfix does. -- rgds Stephen