Prev: address rewriting for remote clients
Next: Rejecting invalid email addresses with SMTP relay/forward
From: Philippe Cerfon on 26 Dec 2009 16:38
Hi list.

I was recently looking over my postfix config and RFC 5321 in order to
see whether everything seems still to be compliant (not postfix,.. but
my config ;) ).

Then I stumbled accross the following:
http://tools.ietf.org/html/rfc5321#section-4.1.4 says:
A session that will contain mail transactions MUST first be
initialized by the use of the EHLO command. An SMTP server SHOULD
accept commands for non-mail transactions (e.g., VRFY or EXPN)
without this initialization.

However having smtpd_helo_required = yes (which is the non-default)
ALWAYS requires the HELO/EHLO, not only for mail transactions.
I wasn't able to find a way to get RFC compliant behavior ... ok the
RFC just says "SHOULD" so stricly speaking, they way Postfix goes is
stilly compliant.

Is it somehow possible to fulfil this SHOULD, whil still fulfiling the MUST?

Regards,
Philippe.

From: Len Conrad on 26 Dec 2009 16:49

>Hi list.
>
>I was recently looking over my postfix config and RFC 5321 in order to
>see whether everything seems still to be compliant (not postfix,.. but
>my config ;) ).
>
>Then I stumbled accross the following:
>http://tools.ietf.org/html/rfc5321#section-4.1.4 says:
>A session that will contain mail transactions MUST first be
> initialized by the use of the EHLO command. An SMTP server SHOULD
> accept commands for non-mail transactions (e.g., VRFY or EXPN)
> without this initialization.
>
>However having smtpd_helo_required = yes (which is the non-default)
>ALWAYS requires the HELO/EHLO, not only for mail transactions.
>I wasn't able to find a way to get RFC compliant behavior ... ok the
>RFC just says "SHOULD" so stricly speaking, they way Postfix goes is
>stilly compliant.
>
>Is it somehow possible to fulfil this SHOULD, whil still fulfiling the MUST?

don't be overly legalistic or rabbinical about conforming to RFCs, since attackers aren't.

reasoning?

Run postscreen and see the 100s of 1000s of attackers that connect and start sending data, which postfix calls pre-greet, before postfix sends 2xx SMTP greeting.

Requiring HELO is hardly an RFC-abusive setting. I expect almost no legit, nor illegit, SMTP servers send EXPN or VRFY before helo,

Len

From: Stan Hoeppner on 26 Dec 2009 19:46
Len Conrad put forth on 12/26/2009 3:49 PM:

> Requiring HELO is hardly an RFC-abusive setting. I expect almost no legit, nor illegit, SMTP servers send EXPN or VRFY before helo,

I'll add that just about everyone disables VRFY these days to prevent valid
address harvesting, so if 5321 or any other RFC requires accepting VRFY then we
are all out of RFC compliance.

Concentrate on the aspects of RFCs that allow you to send/receive email to/from
legitimate sites. Be loose with those that impede your ability to stop spam.
We've all read various places that over 90% of all email attempts/transactions
are spam. The authors or the relevant SMTP RFCs did not take this fact into
account last they wrote these documents. Look at the creation and last modified
dates on these RFCs and you'll fully understand that they are behind the times
WRT dealing with spam.

--
Stan

From: Wietse Venema on 26 Dec 2009 20:11
Philippe Cerfon:
> Hi list.
>
> I was recently looking over my postfix config and RFC 5321 in order to
> see whether everything seems still to be compliant (not postfix,.. but
> my config ;) ).
>
> Then I stumbled accross the following:
> http://tools.ietf.org/html/rfc5321#section-4.1.4 says:
> A session that will contain mail transactions MUST first be
> initialized by the use of the EHLO command. An SMTP server SHOULD
> accept commands for non-mail transactions (e.g., VRFY or EXPN)
> without this initialization.
>
> However having smtpd_helo_required = yes (which is the non-default)
> ALWAYS requires the HELO/EHLO, not only for mail transactions.
> I wasn't able to find a way to get RFC compliant behavior ... ok the
> RFC just says "SHOULD" so stricly speaking, they way Postfix goes is
> stilly compliant.
>
> Is it somehow possible to fulfil this SHOULD, whil still fulfiling the MUST?

With "smtpd_helo_required = yes", the Postfix SMTP server requires
HELO (or EHLO) before the MAIL, ETRN and AUTH commands (*).

If you disagree, then you MUST show the evidence that Postfix
behaves otherwise.

Wietse

(*) I SHOULD probably add STARTTLS to this list. An SMTP client is
not supposed to send ETRN, AUTH or STARTTLS without checking
first that the SMTP server actually supports the feature.

From: Jerry on 27 Dec 2009 07:39
On Sat, 26 Dec 2009 18:46:48 -0600
Stan Hoeppner <stan(a)hardwarefreak.com> replied:

>I'll add that just about everyone disables VRFY these days to prevent
>valid address harvesting, so if 5321 or any other RFC requires
>accepting VRFY then we are all out of RFC compliance.

<QUOTE>
3.5.3. Meaning of VRFY or EXPN Success Response


A server MUST NOT return a 250 code in response to a VRFY or EXPN
command unless it has actually verified the address. In particular,
a server MUST NOT return 250 if all it has done is to verify that the
syntax given is valid. In that case, 502 (Command not implemented)
or 500 (Syntax error, command unrecognized) SHOULD be returned. As
stated elsewhere, implementation (in the sense of actually validating
addresses and returning information) of VRFY and EXPN are strongly
recommended. Hence, implementations that return 500 or 502 for VRFY
are not in full compliance with this specification.
</quote>

That should be changed. No server should be forced, or at least
encouraged to implement the 'VRFY' command.


--
Jerry
postfix.user(a)yahoo.com

TO REPORT A PROBLEM see http://www.postfix.org/DEBUG_README.html#mail
TO (UN)SUBSCRIBE see http://www.postfix.org/lists.html

The absurd is the essential concept and the first truth.

 |  Next  |  Last
Pages: 1 2 3 4 5
Prev: address rewriting for remote clients
Next: Rejecting invalid email addresses with SMTP relay/forward