On 21 Dec 2016, at 5:42, L.P.H. van Belle wrote:
Hello Noel,
Would you please stop say that im labeling.. im not.
Sorry im so bad in explaining things in english.
I just trying to explain something based on what i did read here:
http://www.postfix.org/postconf.5.html#reject_unknown_helo_hostname
reject_unknown_helo_hostname (with Postfix < 2.3:
reject_unknown_hostname)
Reject the request when the HELO or EHLO hostname has no DNS A or MX
record.
Here the "POSTFIX MANUAL" stats >>>>> "HELO or EHLO hostname"
<<<<<<
So I think we misunderstand one eachother.
I know a "helo hostname" is just a name with refers to a A, AAAA or MX
record and the MX must reffer to any A or AAAA.
I know its not client-hostname or helo-hostname.
Its "helo <i-can-be-any-name>" and maybe that should be better in the
manual.
As long as its has a DNS A or MX record. ( as stated by RFC 5321 2.3.5
)
Postfix mostly ignores the helo name. You should too.
Why? Since in my opionion this is a very bad advice.
It is good advice, if you want a robust mail system.
A mail system which requires all clients to follow every MUST and MUST
NOT in any relevant RFC is *NOT ROBUST* it is *FRAGILE*. This is
especially true if that server fails to be as strict in its own
behavior.
This is my I enforce correct "HELO or EHLO hostname".
And its as the postfix manual stats by :
Rejecting the request when the HELO or EHLO hostname has no DNS A or
MX record. Exacty what i need.
I think you are confusing "need" and "wish."
Using Postfix's "reject_unknown_helo_hostname" directive will result in
rejection of mail from senders whose only problem is how their outbound
mail server introduces itself. A significant subset of Microsoft's
Office365 outbound mail servers have used EHLO/HELO names that do not
resolve for many months at a stretch (and may still be doing so.) A
significant minority of small and medium sized businesses who run their
own mail systems (they still exist!) use unqualified or unresolvable
hostnames on those systems.
A rough analysis of some of my recent logs shows that while >99% of mail
offered by machines that use unresolvable HELO names are spam, I only
can know that because that's how much of such mail is caught by other
Postfix restrictions and associated tools. Much of the mail which my
systems would have rejected with reject_unknown_helo_hostname is
definitely NOT spam, as it is the remote half of conversations in which
my users are active participants. The missed-spam reports of the past
month from my users include nothing with an non-resolving HELO name.
In short: reject_unknown_helo_hostname on the systems I help manage
would not improve spam exclusion and would cause substantial rejection
of mail which users want and expect to have delivered reliably. Your
mail flow may be different, however I suspect that you haven't looked
closely enough at it to know.
rfc5321 section 2.3.5 stats:
The domain name, as described in this document and in RFC 1035 [2],
is the entire, fully-qualified name (often referred to as an
"FQDN").
A domain name that is not in FQDN form is no more than a local
alias.
Local aliases MUST NOT appear in any SMTP transaction.
Only resolvable, fully-qualified domain names (FQDNs) are permitted
when domain names are used in SMTP. In other words, names that can
be resolved to MX RRs or address (i.e., A or AAAA) RRs (as
discussed
in Section 5) are permitted, as are CNAME RRs whose targets can be
resolved, in turn, to MX or address RRs. Local nicknames or
unqualified names MUST NOT be used.
See also section 4.1.4:
An SMTP server MAY verify that the domain name argument in the EHLO
command actually corresponds to the IP address of the client.
However, if the verification fails, the server MUST NOT refuse to
accept a message on that basis. Information captured in the
verification attempt is for logging and tracing purposes.
One can parse that very narrowly to allow reject_unknown_helo_hostname,
which does not require a *correct* resolution of the HELO name, just any
resolution. I think that degree of RFC-lawyering misses the point: HELO
names do not have and never have had a concrete functional role in SMTP,
which has resulted in endemic carelessness in making that name correct.
There ARE things you can do with the HELO name to reliably detect
illicit mail, but the only one that is a simple "set and forget" in
Postfix is reject_invalid_helo_hostname. That requires the name to fit a
much looser definition: essentially that it could be a resolvable
hostname somewhere or is a logically valid IP literal. Everything else
you can do with Postfix require more careful thought and attention to
the mail you actually get.
