On 2021-08-08, at 16:13 (UTC+0200), Matus UHLAR - fantomas had the following to
say:
: are you searching for disabling particular strings in helo/ehlo command?
On 08.08.21 22:04, Mono DHS wrote:
No, I would like to validate the argument to the EHLO command
(actually, to both the EHLO and HELO commands, but see below).
The standard says that it must have the form of a ⟨Domain⟩ or
⟨address-literal⟩ (only ⟨Domain⟩s allowed with HELO), and be a
"primary host name" [1] for the former. A primary host name is
defined as an FQDN that resolves to an A or AAAA RRset, as opposed
to merely an MX RRset.
However, there are globally well-defined domain names [2], as well
as IP addresses [3], that satisfy these respective productions, yet have
special semantics that preclude them from appearing in any /meaningful/
SMTP conversation on the public Internet -- either as argument to the
EHLO/HELO command or the ⟨Domain⟩ part in a ⟨Mailbox⟩, where only
⟨Domain⟩s are allowed. It's only logical, then, to weed them out
before we even invoke the DNS lookup machinery in our attempts to
resolve a domain name that -- by definition -- is to produce an
NXDOMAIN from any well-administered public DNS server, anyway.
I currently only have the domain names listed in a check_helo_access
table with a REJECT action for each and all its sub-domains, and would
like to extend this functionality to ⟨address-literal⟩s for the EHLO
command case. The way I understand the workings of the check_helo_access
tables is that no DNS lookup is performed before the table is consulted.
So far, so good.
you could check_helo_access with pcre table that would refuse
anything that matched address literal e.g.
^\[?[0-9]+(\.[0-9]+)+\]?$ REJECT addrss literals forbidden
and similar for ipv6 addresses.
I don't know where you got that address is not allowed in helo/ehlo - it is.
My current approach consists of either having both domain names and
IP addresses in one check_helo_access table (operationally preferred,
but insufficient for specifying all IP address forms) or use /two/
check_helo_access tables in succession: one access(5) table for
domain names followed by one cidr_table(5) for IP addresses. The
latter is a consequence of the fact that these special addresses
are all defined as CIDR blocks, and some of them with prefixes
that aren't integer-multiples of 8, which rules out access(5)
tables for those IP addresses.
that should be fine, logical and effective - first compare cidr, then
subdomain match (e.g. example.com, example.net etc) and finally PCRE
Another complication arises with SMTP clients that only introduce
themselves with the HELO command. In that particular case, as
near-pathological as it may seem these days, I would /only/ like
the domain name table to be consulted, and not the IP address table,
since, well, ⟨address-literal⟩s aren't allowed as arguments to the
HELO command.
--
Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
I'm not interested in your website anymore.
If you need cookies, bake them yourself.
