Raymond Keller wrote:
* Wietse Venema ([EMAIL PROTECTED]) [20080903 11:35]:
Raymond Keller:
I configured reject_invalid_helo_hostname and was surprised to find
that underscores were permitted. Judging by the source (I'm not
conversant in C), it looks like the author had this comment
regarding allowing underscores: "grr.." I feel similarly. Is that
you, Mr. Venema? My sympathy. I take it that allowing underscores
is for the sake of handling Windows MUAs?
Hostname syntax is defined in Internet RFCs. Postfix's hostname
validator routine cites RFC 952, RFC 1123, RFC 1035, RFC 2373.
However, not everyone reads internet RFCs before implementing email
software. In order to be useful, Postfix allows for common
deviations. The primary mission of Postfix remains to deliver mail.
And Postfix does an excellent job of delivering mail, which is why I
am a user and advocate for about 8 years now. I thank you very much
for your work.
I'm sorry if this touches on a sore spot. I understand the need to
balance RFC compliance and real-world function.
Is the compatibility that is sought by allowing underscores done for
the sake of Windows MUAs?
No. This has nothing to do with windows nor with MUAs. you generally
don't care about the helo used by MUAs. MUAs should use submission
(mynetworks, sasl, ... preferably on port 587). So when you check helo,
you assume that the client is an MTA.
(one could check helo even in the case of submission in an attempt to
detect owned machines. but this requires some work).
In my circumstance I have no MUA clients
with RFC-invalid hostnames; my system is only a mail gateway. So I
might refuse underscores. I think ideally this might be done with a
configuration option (perhaps "strict_rfc_hostnames"), but perhaps I
should just do so via check_helo_access. Is there any sense of how
many noncompliant MTA configurations are out there? I would expect
there to be next to none (that are non-spammy).
/_/ 554 RFCs 810, 952, and 1035 do not allow underscores in hostnames.
It's your mail! Test it (you can use warn_if_reject) and count the
number of spam hits and ham hit. if spam hit rate is too low or if ham
hit rate is too high, then you should not use this rule.
The other item I was wondering about was regarding SMTP RFC
complaince in HELO hostnames -- requiring brackets for literal
addresses. This requirement is currently shortcut if the hostname
is a valid address. I might refuse unbracketed literals. Again,
ideally this might be done with a configuration option (perhaps
"strict_rfc2821_helo_hostnames"), but, again, it may be best for me
to just do the rejection via check_helo_access restriction. Is
there any sense of how many legitimate MTA configurations out there
violate this particular requirement?
/^[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+\$/ 554 RFC 2821 does not allow bare
address literals.
some people (including $->self) use:
reject_invalid_helo_hostname
reject_non_fqdn_helo_hostname
One can also reject literal IP in helo as it shouldn't be seen in
legitimate mail from MTAs (although it is still theoritically possible).
or if that's too aggressive:
/^\[/ reject_unknown_client
