What a can of worms..
IDNA2003 allowed UTF8 in domain names
IDNA2008 subsequently forbid non-ASCII characters in domain names.
RFC6531 (which defines the SMTPUTF8 extension) Allows internationalized
domain names in headers and the "envelope" - taken to mean the RCPT (to
address) and MAIL (from address)
email addresses. So that would put the EHLO host domain name and the
server's own host domain name
outside the scope of SMTPUTF8.
RFC5321 (which defines SMTP) section 2.3.5 says that "only resolvable,
fully-qualified
domain names (FQDNs) are permitted when domain names are used in SMTP" and
IDNA2003 allowed UTF8 as resolvable domain names. So between 2003 and 2008
UTF8 domain names were perfectly legal. Interestingly, 2.3.5 also
allows top-level domain names (without any dots) to be used.
In practice, does anyone actually use UTF8 (from IDNA2003) in domain names?
Do you want to be "right" and bounce the occasional user who is running
old software?
Or do you want to accept the world as it is.. decide where you stand and
choose one of
the rules - you probably don't need both.
reject_invalid_helo_hostname seems to fit with modern standards but will
reject IDNA2003
domain names that were legal between 2003 and 2008. It will allow a
top-level domain.
reject_non_fqdn_helo_hostname will accept IDNA2003 domain names (which
are no longer
allowed but may still exist). It will also forbid a top-level domain
from being used.
On 6/04/2023 2:59 pm, Viktor Dukhovni via Postfix-users wrote:
On Thu, Apr 06, 2023 at 07:33:28AM +0800, Corey Hickman via Postfix-users wrote:
reject_invalid_helo_hostname
reject_non_fqdn_helo_hostname
what are the differences between them? does the second one hold the
first one already?
Neither subsumes the other, perhaps due to an implementation oversight.
The first excludes bad hostname syntax, *and* (correctly I believe,
since EHLO precedes the announcement of SMTPUTF8 support) disallows UTF8
names. The second excludes bad syntax, requires at least one "." in the
name, but doesn't disallow UTF8.
Intuitively, you might think that reject_non_fqdn_helo_hostname is
MORE restrictive than reject_invalid_helo_hostname, but in fact
reject_non_fqdn_helo_hostname is LESS restrictive than
reject_invalid_helo_hostname.
Differently restrictive, but likely unintentionally.
On Thu, Apr 06, 2023 at 09:49:47AM +0800, Ken Peng via Postfix-users wrote:
I agree with you. for instance, 腾讯.公司 is a invalid hostname, but
it is a fqdn hostname which will pass the check by the second clause.
It is a valid UTF8 hostname in a context where UTF8 is allowed, but the
EHLO command isn't such a context.
--
This email has been checked for viruses by AVG antivirus software.
www.avg.com
_______________________________________________
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org
