[CentOS] SPAM on the List

Mon Jul 18 13:19:07 UTC 2011
Stephen Harris <lists at spuddy.org>

On Mon, Jul 18, 2011 at 07:41:09AM -0500, Les Mikesell wrote:
> On 7/18/11 5:43 AM, Stephen Harris wrote:
> >>> RFC2821 says:
> >>>      -  The domain name given in the EHLO command MUST BE either a primary
> >>>         host name (a domain name that resolves to an A RR) or, if the host
> >>>         has no name, an address literal as described in section 4.1.1.1.
> >>>
> >>> So, pretty much, HELO or EHLO greeting _must_ match to an IP.
> >>>
> >>> (RFC821 actually wanted the HELO to match the connecting host, but
> >>> 2821 just says it must be an A record or an address literal).

> Can you point me to the section?  I don't see anything there about the hostname 
> having to match an interface address or being allowed to reject if it isn't - or 
> even any advice on how clustered hosts representing one mail domain should 
> represent themselves.

I think you think I'm disagreeing with you; I'm not.  I'm agreeing
with you.  The RFCs don't require the SMTP server to match the interface
IP address.

Note that RFC821 has been obsoleted and replaced with 2821.  Anyone
programming to 821 requirements is doing it wrong.  In fact 2821 has
been replaced with 5321

5321 says
 2.3.5 [...]
 The domain name given in the EHLO command MUST be either a primary
      host name (a domain name that resolves to an address RR) or, if
      the host has no name, an address literal, as described in
      Section 4.1.3 and discussed further in the EHLO discussion of
      Section 4.1.4.

I think that reference to 4.1.4 should really be 4.1.1.1...

4.1.1.1.  Extended HELLO (EHLO) or HELLO (HELO)

   These commands are used to identify the SMTP client to the SMTP
   server.  The argument clause contains the fully-qualified domain name
   of the SMTP client, if one is available.  In situations in which the
   SMTP client system does not have a meaningful domain name (e.g., when
   its address is dynamically allocated and no reverse mapping record is
   available), the client SHOULD send an address literal (see
   Section 4.1.3).

You only need to follow 5321 requirements which do _not_ require the
host to identify it as matching the specific interface; it merely needs
to identify as a valid A record (or address literal) for the client system.

There's nothing to say that the client system need be listening to port
25 (or be open to port 25 connections; firewalls for example), so anyone
performing HELO (or EHLO) address verification is pretty much limited
to the 2.3.5 requirement; that the passed name is _a_ valid name.  Which
is, AFAIK, all postfix does.

-- 

rgds
Stephen