<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<HTML xmlns="http://www.w3.org/TR/REC-html40" xmlns:v =
"urn:schemas-microsoft-com:vml" xmlns:o =
"urn:schemas-microsoft-com:office:office" xmlns:w =
"urn:schemas-microsoft-com:office:word" xmlns:m =
"http://schemas.microsoft.com/office/2004/12/omml"><HEAD>
<META http-equiv=Content-Type content="text/html; charset=us-ascii">
<META content="MSHTML 6.00.6000.16608" name=GENERATOR>
<STYLE>@font-face {
font-family: Calibri;
}
@page Section1 {size: 612.0pt 792.0pt; margin: 72.0pt 72.0pt 72.0pt 72.0pt; }
P.MsoNormal {
FONT-SIZE: 11pt; MARGIN: 0cm 0cm 0pt; FONT-FAMILY: "Calibri","sans-serif"
}
LI.MsoNormal {
FONT-SIZE: 11pt; MARGIN: 0cm 0cm 0pt; FONT-FAMILY: "Calibri","sans-serif"
}
DIV.MsoNormal {
FONT-SIZE: 11pt; MARGIN: 0cm 0cm 0pt; FONT-FAMILY: "Calibri","sans-serif"
}
A:link {
COLOR: blue; TEXT-DECORATION: underline; mso-style-priority: 99
}
SPAN.MsoHyperlink {
COLOR: blue; TEXT-DECORATION: underline; mso-style-priority: 99
}
A:visited {
COLOR: purple; TEXT-DECORATION: underline; mso-style-priority: 99
}
SPAN.MsoHyperlinkFollowed {
COLOR: purple; TEXT-DECORATION: underline; mso-style-priority: 99
}
SPAN.EmailStyle17 {
COLOR: windowtext; FONT-FAMILY: "Calibri","sans-serif"; mso-style-type: personal-compose
}
.MsoChpDefault {
mso-style-type: export-only
}
DIV.Section1 {
page: Section1
}
</STYLE>
<!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]--></HEAD>
<BODY lang=EN-GB vLink=purple link=blue>
<DIV dir=ltr align=left><FONT face=Arial color=#0000ff
size=2></FONT> </DIV><BR>
<BLOCKQUOTE
style="PADDING-LEFT: 5px; MARGIN-LEFT: 5px; BORDER-LEFT: #0000ff 2px solid; MARGIN-RIGHT: 0px">
<DIV class=OutlookMessageHeader lang=en-us dir=ltr align=left>
<HR tabIndex=-1>
<FONT face=Tahoma size=2><B>From:</B>
mailscanner-bounces@lists.mailscanner.info
[mailto:mailscanner-bounces@lists.mailscanner.info] <B>On Behalf Of
</B>Hostmaster<BR><B>Sent:</B> Friday, February 29, 2008 10:06
AM<BR><B>To:</B> MailScanner discussion<BR><B>Subject:</B> [Maybe OT] - RFC
compliance checking at session<BR></FONT><BR></DIV>
<DIV></DIV>
<DIV class=Section1>
<P class=MsoNormal>Hi All,<o:p></o:p></P>
<P class=MsoNormal>I would like to illicit some opinions from you other
MailScanner using MX-administrators. I know that there was some discussion on
list some time ago regarding session checking, particularly HELO/EHLO
checking, and its compliance against RFC 821, as clarified and updated in
2821. <o:p></o:p></P>
<P class=MsoNormal><o:p> </o:p></P>
<P class=MsoNormal><rant><o:p></o:p></P>
<P class=MsoNormal>We use Exim for both inbound and outbound message handling
around MailScanner, and on the inbound, some quite complex ACL’s to validate
the session to try and cut down the amount of spam our users get. The first
check we run is to ensure that the HELO/EHLO is an FQDN. We don’t then
validate if this FQDN can be resolved, or even if it is valid, it just has to
be host.domain.tld, and this significantly cuts the number of RBL lookups we
do. This hasn’t caused us any problems with rejecting valid mail until
now.<o:p></o:p></P>
<P class=MsoNormal><o:p> </o:p></P>
<P class=MsoNormal>One of our users complained that they were no longer
receiving a newsletter they signed up for. I managed to find it in the exim
reject logs, and sure enough, it was failing the host checking – the EHLO it
sends is “(server3549)”, and exim declines the session with a 550 – permanent
reject for policy reasons. <o:p></o:p></P>
<P class=MsoNormal><o:p> </o:p></P>
<P class=MsoNormal>Now comes the fun part. That 550 is not enough for the
sender – it ignores it and constantly retries the send, treating it more like
a 450, but not following any normal MTA retry period I can establish. That
would be enough for me to leave them blocked, but checking further, the IP for
that host has no RDNS, also a big no-no in my opinion for a valid mail server,
and the IP does not accept return SMTP – indicating that it’s probably a web
server and not an MTA itself. I even took the liberty of doing an
IPWhois, phoning the helpdesk of the company responsible for the IP (only
because they are UK based the same as us) and pointing the problem out, only
to be met with “yeah, we know about that, it’ll be fixed sometime next year
when we put a new server in”, even after I pointed out that they wouldn’t be
getting successful deliveries to organisations such as AOL (RDNS is a must)
and BT/Yahoo (whose policies are incredibly strict)!<o:p></o:p></P>
<P class=MsoNormal></rant><o:p></o:p></P>
<P class=MsoNormal><o:p> </o:p></P>
<P class=MsoNormal>So what do you guys think? Am I just being particularly
awkward on a Friday afternoon and should I spend my time re-working our config
to work around an organisation who is blatantly ignorant of common mail server
practise, or just tell my user that the sending organisation needs to get
their act together?<BR><SPAN class=609270820-29022008><FONT face=Arial
color=#0000ff size=2>[Rick Cooper] </FONT></SPAN></P>
<P class=MsoNormal><SPAN class=609270820-29022008></SPAN> </P>
<P class=MsoNormal><SPAN class=609270820-29022008><FONT face=Arial
color=#0000ff size=2>I also enforce a proper helo name. I just went
through this with a rather large insurance company that switched mail servers
and the new server was incorrectlu configured so it helo'd with something like
boogabooga.internal (I don't remember the host name part). The smart ass
mail admin said "what if that host doesn't have a FQDN" and I
replied dotted quad in square brackets according to the RFCs...
bud.</FONT></SPAN></P>
<P class=MsoNormal><SPAN class=609270820-29022008></SPAN> </P>
<P class=MsoNormal><SPAN class=609270820-29022008><FONT face=Arial
color=#0000ff size=2>I come across this now and then and I always try and
contact the sender's responsible party to clear it up, it wrong, it breaks
SPF, it breaks RFCs and it's VERY common to see unqualified names coming from
BOTS, virus and spam. I bet if you look though your logs you will see most
hosts that helo with a non FQDN or .internal/.local/.localdomain are mostly
dynamic DSL or cable hosts. I dump a ton of them everyday.</FONT></SPAN></P>
<P class=MsoNormal><SPAN class=609270820-29022008><FONT face=Arial
color=#0000ff size=2></FONT></SPAN> </P>
<P class=MsoNormal><SPAN class=609270820-29022008><FONT face=Arial
color=#0000ff size=2>I also run Exim and I have a !hosts
= /ListOfDickHeadsIHaveToAccept before each compliance check condition.
For instance a Zurich subsidiary that helo'd as something_stupid.local, no
RDNS, they did about everything but spit on the RFCs and we had to have
thier mail.</FONT> <FONT face=Arial color=#0000ff size=2>I put them in
the list, inform the maintainers and remove them after 90 days and see what
happens. The file can be just a flat text file in the format
of</FONT></SPAN></P>
<P class=MsoNormal><SPAN class=609270820-29022008><FONT face=Arial
color=#0000ff size=2></FONT></SPAN> </P>
<P class=MsoNormal><SPAN class=609270820-29022008><FONT face=Arial
color=#0000ff size=2>10.10.10.10 # Remove in April</FONT></SPAN></P>
<P class=MsoNormal><SPAN class=609270820-29022008><FONT face=Arial
color=#0000ff size=2>10.10.10.1 # Remove In May</FONT></SPAN></P>
<P class=MsoNormal><SPAN class=609270820-29022008><FONT face=Arial
color=#0000ff size=2></FONT></SPAN> </P>
<P class=MsoNormal><SPAN class=609270820-29022008><FONT face=Arial
color=#0000ff size=2>They do not, of course, get a pass around virus,
attachment, etc checking, just compliance checks.</FONT></SPAN></P>
<P class=MsoNormal><SPAN class=609270820-29022008><FONT face=Arial
color=#0000ff size=2></FONT></SPAN> </P>
<P class=MsoNormal><SPAN class=609270820-29022008><FONT face=Arial
color=#0000ff size=2>Rick</FONT></SPAN></P></DIV></BLOCKQUOTE></BODY><br />--
<br />This message has been scanned for viruses and
<br />dangerous content by
<a href="http://www.mailscanner.info/"><b>MailScanner</b></a>, and is
<br />believed to be clean.
</HTML>