postfix-users April 2011 archive
Main Archive Page > Month Archives  > postfix-users archives
postfix-users: Re: SMTP client host name spoofing

Re: SMTP client host name spoofing

From: Vincent Lefevre <vincent_at_nospam>
Date: Sun Apr 03 2011 - 23:27:51 GMT
To: postfix-users@postfix.org

On 2011-04-01 23:51:39 +0200, mouss wrote:
> we're not asking them to resolve their hostname. we're only asking them
> to use a "real" name. it's as easy as
> myhostname = joe.example.com
>
> with a "joe.example.com" that exists in DNS.

But the purpose of having a host in DNS is to be able to resolve it.
I mean: you can't have a real hostname in the DNS if it is on a private
network (unreachable because of NAT), can you? Well... I'm not sure.
See below.

> I don't use reject_unknown_helo_hostname. however, I watch my dog^W log,
> and I blocklist an IP that uses a "dumb" helo if it ever gets under my
> attention (mostly in the case of a rejection such as "user unknown", but
> also if spam filter says it is probably spam...).

Using a private IP (which doesn't even break a SHOULD in the RFC's)
is IMHO as dumb as a hostname that isn't in DNS.

> let me state this differently:
>
> - there are people who are cooperative. they do everything to look good.
> they work "with us". these people are welcome, and if we ever block
> them, we'll apologize and whitelist them on demand
>
> - there are the "uncooperative" people. most of these don't know how
> smtp works. we will happily accept their mail as long as it goes to
> valid recipients and is not caught by filters. as soon as they trigger a
> filter (including "user unknown"), there is no merci.

IMHO, that's fine.

> if you have a dynamic IP, it is still a good idea to use a "static"
> helo. even if it doesn't resolve to your IP. I know some other people
> may say the opposite (require helo to resolve to IP),

Well, this doesn't make sense since a machine can have several
IP addresses (e.g. because it has several physical or virtual
interfaces and one doesn't necessarily know which one will be
used). Now, the question is more: if the hostname is resolved,
should it neccessarily correspond to the machine? More precisely,
if I use host-for-smtp-only.mydomain.tld, which resolves to
127.0.0.1 (the IP address should not be used to contact the
machine anyway), is it OK?

Note: this hostname would be used *only* for EHLO. So, there's
no risk for other protocols.

> but I won't go that far (I accept mail from dynamic IPs if the
> "owner" does some efforts...).

-- Vincent Lefèvre <vincent_at_vinc17.net> - Web: <http://www.vinc17.net/> 100% accessible validated (X)HTML - Blog: <http://www.vinc17.net/blog/> Work: CR INRIA - computer arithmetic / Arénaire project (LIP, ENS-Lyon)