Bill Cole wrote, at 03/13/2009 10:23 AM: > Jorey Bump wrote, On 3/13/09 8:51 AM: >> LuKreme wrote, at 03/13/2009 07:22 AM: >> >>> So I thought I'd see if anyone else thought that a helo in the form >>> [12.34.56.789] SHOULD be allowed. I mean, as far as I recall, this is >>> still technically allowed, right? >> >> A bracketed IP address is valid in a HELO/EHLO, but is so rare in >> legitimate mail that it's still worth blocking. > > It should be noted that this is true only for mail transport, not mail > submission. > > For the people still supporting the antiquated model of accepting mail > submission via SMTP rather than a proper port 587 daemon, it is > important to make allowances for the fact that MUA's frequently have no > better choice for their HELO argument than an IP literal, and sometimes > even that is pretty lousy (i.e. an ephemeral RFC1918 private IP)
MUA HELOs are problematic in many ways. But you're absolutely right, this is best handled by delaying this sort of check_helo_access until smtpd_recipient_restrictions, after permit_mynetworks & permit_sasl_authenticated, if you support submission on SMTP port 25 on an MX server.
