Re: SMTP client host name spoofing

Thu, 31 Mar 2011 11:01:43 -0700 

Victor Duchovni put forth on 3/31/2011 12:44 PM:
> On Thu, Mar 31, 2011 at 12:20:58PM -0500, Stan Hoeppner wrote:
> 
>>> No, the "google" name is just the EHLO parameter sent by the client,
>>> it is not derived from DNS lookups and not verified.
>>
>> Thanks for the clarification Viktor.  I can't seem to locate any
>> documentation on the official Postfix website that defines what Postfix
>> inserts in the first received line.  I'm sure I'm simply search
>> handicapped.  Can you point me the relevant docs?
> 
> The syntax of Received lines is specified in RFC 821/2821/5321:
> 
>     http://tools.ietf.org/html/rfc5321#section-4.4

No wonder I didn't find it--looking in the wrong place.

>    When an SMTP server receives a message for delivery or further
>    processing, it MUST insert trace ("time stamp" or "Received")
>    information at the beginning of the message content, as discussed in
>    Section 4.1.1.4.
> 
>    This line MUST be structured as follows:
> 
>    o  The FROM clause, which MUST be supplied in an SMTP environment,
>       SHOULD contain both (1) the name of the source host as presented
>       in the EHLO command and (2) an address literal containing the IP
>       address of the source, determined from the TCP connection.
> 
> the details are at the bottom of page 58/top of 59:
> 
>       Time-stamp-line  = "Received:" FWS Stamp <CRLF>
> 
>     Klensin                     Standards Track                    [Page 59]
>      
>     RFC 5321                          SMTP                      October 2008
> 
>        Stamp          = From-domain By-domain Opt-info [CFWS] ";"
>                     FWS date-time
>                     ; where "date-time" is as defined in RFC 5322 [4]
>                     ; but the "obs-" forms, especially two-digit
>                     ; years, are prohibited in SMTP and MUST NOT be used.
> 
>        From-domain    = "FROM" FWS Extended-Domain
> 
>        By-domain      = CFWS "BY" FWS Extended-Domain
> 
>        Extended-Domain  = Domain /
>                       ( Domain FWS "(" TCP-info ")" ) /
>                       ( address-literal FWS "(" TCP-info ")" )
> 
>        TCP-info       = address-literal / ( Domain FWS address-literal )
>                     ; Information derived by server from TCP connection
>                     ; not client EHLO.

So the verified reverse DNS data Postfix inserts in front of the address
literal would be the "Domain folded whitespace" mentioned above or
"address-literal FWS"?  I assume the IP address in the received line
falls under "TCP-info" above.

Thanks again Viktor.

-- 
Stan

Reply via email to