John Peacock wrote:
RFC-2821 Section 3.6 states:
Only resolvable, fully-qualified, domain names (FQDNs) are permitted
when domain names are used in SMTP. In other words, names that can
be resolved to MX RRs or A RRs (as discussed in section 5) are
permitted, as are CNAME RRs whose targets can be resolved, in turn,
to MX or A RRs. Local nicknames or unqualified names MUST NOT be
used. There are two exceptions to the rule requiring FQDNs:
- The domain name given in the EHLO command MUST BE either a primary
host name (a domain name that resolves to an A RR) or, if the host
has no name, an address literal as described in section 4.1.1.1.
So I wrote check_helofqdn (attached). I haven't finished it (I need
to smarten up the regex that looks for IP addresses, see section
4.1.1.1). I was thinking of having an optional DNS test to see if the
name given to EHLO was, in fact, a valid A record (instead of just
testing for the presence of at least one dot in the name), using the
same sort of framework that the dnsbl code uses.
Opinions???
John
By "address literal" is OK, they mean IP, right? And what you're
doing on ehlo if it pretends to be an fqdn is well predicated--
http://svn.perl.org/viewcvs/qpsmtpd/trunk/plugins/require_resolvable_fromhost?rev=588&view=markup
http://perlq.org/ yellow band shows that require_resolvable_fromhost
is a productive filter.
Giving a non-ip address implies that the address resolves to an ip.
They open the door.
-Bob
------------------------------------------------------------------------
=head1 NAME
check_helofqdn - Check a HELO message delivered from a connecting host.
=head1 DESCRIPTION
Check a HELO message delivered from a connecting host. Reject any
that are not a Fully Qualified Host Name, per RFC-2821 Section 3.6.
=head1 CONFIGURATION
None
=cut
sub hook_helo {
my ($self, $transaction, $host) = @_;
($host = lc $host) or return DECLINED;
unless (
( $host =~ m/([0-9]{1,3})(\.[0-9]{1,3}){3}/ ) #IP4 address
or
( $host =~ m/.+[.].+/ ) # at least one dot
) {
$self->log(LOGDEBUG, "$host violates RFC-2821 Section 3.6 FQDN");
return (DENY, "HELO/EHLO require valid hostname (#5.7.1)");
}
return DECLINED;
}
# also support EHLO
*hook_ehlo = \&hook_helo;
