On 8/04/2023 10:31 am, raf via Postfix-users wrote:
On Thu, Apr 06, 2023 at 11:28:07AM +1000, Sean Gallagher <s...@teletech.com.au> 
wrote:

On 6/04/2023 10:39 am, raf via Postfix-users wrote:
On Thu, Apr 06, 2023 at 07:33:28AM +0800, Corey Hickman via Postfix-users 
<postfix-users@postfix.org> wrote:

Hello

for these two statements,

reject_invalid_helo_hostname
reject_non_fqdn_helo_hostname

what are the differences between them? does the second one hold the first
one already?

Thanks.
reject_invalid_helo_hostname rejects malformed HELO or
EHLO hostnames.

reject_non_fqdn_helo_hostname rejects non
fully-qualified domain (or address) HELO or EHLO
hostnames.

I would assume that the second one subsumes the first,
since a malformed hostname can't be a fully-qualified
domain name.

cheers,
raf
 From reading the code, these two restrictions seem equivalent except when
SMTPUTF8 extension is used.
when the SMTPUTF8 is in play, reject_non_fqdn_helo_hostname will convert a
hostname containing UTF to an internationalized domain name
before checking. https://en.wikipedia.org/wiki/Internationalized_domain_name

So reject_invalid_helo_hostname will reject hostnames that contain UTF8 but
are otherwise valid.
It seems likely that reject_non_fqdn_helo_hostname was added to postfix to
replace reject_invalid_helo_hostname when emails containing UTF8 became a
thing.

Intuitively, you might think that reject_non_fqdn_helo_hostname is MORE
restrictive than reject_invalid_helo_hostname,
but in fact reject_non_fqdn_helo_hostname is LESS restrictive than
reject_invalid_helo_hostname.

At least, this is my understanding from reading the code. I may be wrong..

   Sean.
Hi Sean,

I based my comments only on the documentation, not the code.

But looking at the code, they both check that the hostname
is valid, but reject_non_fqdn_hostname() also checks that
there is a '.' character in the hostname (strchr(test_name, '.')).
That's the additional fqdn check.

But you are right that reject_invalid_hostname() calls
valid_hostname() while reject_non_fqdn_hostname() calls
valid_utf8_hostname(). I wonder if that is correct, or
if they should both be calling valid_utf8_hostname().
It's probably correct and probably more efficient the
way it is.

I think the outcome of the discussion in this thread was that valid_utf8_hostname() really has no "official" use case. It allows RAW UTF8 in hostnames - which should never happen. Hostnames that contain Unicode (non ASCII) code-points should be encoded with punycode with the ACE prefix.  Any name encoded this way should pass the valid_hostname() check.

In summary, all "normal" systems should be using "reject_invalid_helo_hostname" and leave "reject_non_fqdn_helo_hostname" to isolated systems whose names never appear on the internet.

The latter is LESS restrictive, in that it allows illegally encoded domain names containing raw UTF8 encoded unicode code points. i.e. names containing "U-labels" as defined in RFC5890 2.3.2.1.

The latter is MORE restrictive, in that it does NOT allow names without any dots.

Few people would be concerned with the "must contain a dot" restriction and should therefore consider "reject_non_fqdn_helo_hostname" as less restrictive than "reject_invalid_helo_hostname" in a way that is not generally useful. That said, it is not is any way dangerous to use the "reject_non_fqdn_helo_hostname" restriction - unless downstream mail handling software contains bugs that may lead to a crash if it was given a non-standard domain name.

There does not seem to be any checks in Postfix that can decode random IDNA names and verify that they are well formed. Specific names can be checked for by using names containing "A-labels" as defined in RFC5890 2.3.2.1, i.e. punycode, as you would any other name in the various Postfix maps.

After going through this, my advice would be to always use "reject_invalid_helo_hostname" unless you really think you need the extra flexibility of  "reject_non_fqdn_helo_hostname". Or if at some stage, a better test is added to Postfix that can "look inside" internationalized domain names and reject invalid names as defined by RFC5892.

Hope this clears things up. I agree that the documentation on this is somewhat lacking.

Sean


--
This email has been checked for viruses by AVG antivirus software.
www.avg.com
_______________________________________________
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org

Reply via email to