Check for helo/hostname mismatch? RSS Back to forum
@Norbert Fehlauer: There is no such requirement in the RFC (i.e., that the domain name submitted in the HELO command must match the reverse name of the sender MX IP), so such rule would definitely block many legitimate emails.
Thanks for the answer Krisztian,
thought so, but ran across such an incident. ;)
http://social.technet.microsoft.com/Forums/de-DE/technetgenerelle_fragende/thread/9c01cebe-e62a-4e64-bf61-81a0f7658757#9c01cebe-e62a-4e64-bf61-81a0f7658757
dd6018 postfix/policyd-weight[23346]: decided action=550
Mail appeared to be SPAM or forged. Ask your Mail/DNS-Administrator to
correct HELO and DNS MX settings or to get removed from DNSBLs; MTA helo:
by2msftvsmtp03.phx.gbl, MTA hostname:
delivery.smtp.microsoft.com[207.46.22.101] (helo/hostname mismatch);
<client=207.46.22.101> <helo=by2msftvsmtp03.phx.gbl>
"The HELO receiver MAY verify that the HELO parameter really corresponds to the IP address of the sender. However, the receiver MUST NOT refuse to accept a message, even if the sender's HELO command fails verification."
http://www.ietf.org/rfc/rfc1123.txt (section 5.2.5)
Yes found that too. ;) http://tools.ietf.org/html/rfc2821#page-29 does not mention it at all. ;)
Yes, but your missing ..
https://tools.ietf.org/html/rfc2821#section-3.6
Only resolvable, fully-qualified, domain names (FQDNs) are permitted
when domain names are used in SMTP. In other words, names that can
be resolved to MX RRs or A RRs (as discussed in section 5) are
permitted, as are CNAME RRs whose targets can be resolved, in turn,
to MX or A RRs. Local nicknames or unqualified names MUST NOT be
used. There are two exceptions to the rule requiring FQDNs:
- The domain name given in the EHLO command MUST BE either a primary
host name (a domain name that resolves to an A RR) or, if the host
has no name, an address literal as described in section 4.1.1.1.
and with policy weight. : helo/hostname mismatch FAQ says..
The client-IP and its /24 or /16 subnets are in no relation to the A/MX records of the HELO FQDN, domain and parent domains;
NEITHER A/MX records of the sender-domain or parent domains;
NEITHER does the reverse record (PTR) point to a FQDN or domain which matches the HELO FQDN or domain or parent domains nor the sender-domain or parent domains.
Or in short: no, policyd-weight does NOT block on a helo/hostname mismatch alone, but does report it as one of the most obvious issue.
- The reserved mailbox name "postmaster" may be used in a RCPT
command without domain qualification (see section 4.1.1.3) and
MUST be accepted if so used.
Hi,
would a check for helo/hostname mismatch be useful, or is this nonsense?
Regards
Norbert