RFC-2821 Section 3.6 states:
Only resolvable, fully-qualified, domain names (FQDNs) are permitted
when domain names are used in SMTP. In other words, names that can
be resolved to MX RRs or A RRs (as discussed in section 5) are
permitted, as are CNAME RRs whose targets can be resolved, in turn,
to MX or A RRs. Local nicknames or unqualified names MUST NOT be
used. There are two exceptions to the rule requiring FQDNs:
- The domain name given in the EHLO command MUST BE either a primary
host name (a domain name that resolves to an A RR) or, if the host
has no name, an address literal as described in section 4.1.1.1.
So I wrote check_helofqdn (attached). I haven't finished it (I need to
smarten up the regex that looks for IP addresses, see section 4.1.1.1).
I was thinking of having an optional DNS test to see if the name given
to EHLO was, in fact, a valid A record (instead of just testing for the
presence of at least one dot in the name), using the same sort of
framework that the dnsbl code uses.
Opinions???
John
=head1 NAME
check_helofqdn - Check a HELO message delivered from a connecting host.
=head1 DESCRIPTION
Check a HELO message delivered from a connecting host. Reject any
that are not a Fully Qualified Host Name, per RFC-2821 Section 3.6.
=head1 CONFIGURATION
None
=cut
sub hook_helo {
my ($self, $transaction, $host) = @_;
($host = lc $host) or return DECLINED;
unless (
( $host =~ m/([0-9]{1,3})(\.[0-9]{1,3}){3}/ ) #IP4 address
or
( $host =~ m/.+[.].+/ ) # at least one dot
) {
$self->log(LOGDEBUG, "$host violates RFC-2821 Section 3.6 FQDN");
return (DENY, "HELO/EHLO require valid hostname (#5.7.1)");
}
return DECLINED;
}
# also support EHLO
*hook_ehlo = \&hook_helo;
