Hello, On 2021-08-08, at 16:13 (UTC+0200), Matus UHLAR - fantomas had the following to say:
: are you searching for disabling particular strings in helo/ehlo command? No, I would like to validate the argument to the EHLO command (actually, to both the EHLO and HELO commands, but see below). The standard says that it must have the form of a ⟨Domain⟩ or ⟨address-literal⟩ (only ⟨Domain⟩s allowed with HELO), and be a "primary host name" [1] for the former. A primary host name is defined as an FQDN that resolves to an A or AAAA RRset, as opposed to merely an MX RRset. However, there are globally well-defined domain names [2], as well as IP addresses [3], that satisfy these respective productions, yet have special semantics that preclude them from appearing in any /meaningful/ SMTP conversation on the public Internet -- either as argument to the EHLO/HELO command or the ⟨Domain⟩ part in a ⟨Mailbox⟩, where only ⟨Domain⟩s are allowed. It's only logical, then, to weed them out before we even invoke the DNS lookup machinery in our attempts to resolve a domain name that -- by definition -- is to produce an NXDOMAIN from any well-administered public DNS server, anyway. I currently only have the domain names listed in a check_helo_access table with a REJECT action for each and all its sub-domains, and would like to extend this functionality to ⟨address-literal⟩s for the EHLO command case. The way I understand the workings of the check_helo_access tables is that no DNS lookup is performed before the table is consulted. So far, so good. The check_helo_a_access tables are only consulted with the /result/ of a DNS lookup, and are therefore not suitable, since we do not need to look up an ⟨address-literal⟩ EHLO argument. My current approach consists of either having both domain names and IP addresses in one check_helo_access table (operationally preferred, but insufficient for specifying all IP address forms) or use /two/ check_helo_access tables in succession: one access(5) table for domain names followed by one cidr_table(5) for IP addresses. The latter is a consequence of the fact that these special addresses are all defined as CIDR blocks, and some of them with prefixes that aren't integer-multiples of 8, which rules out access(5) tables for those IP addresses. Another complication arises with SMTP clients that only introduce themselves with the HELO command. In that particular case, as near-pathological as it may seem these days, I would /only/ like the domain name table to be consulted, and not the IP address table, since, well, ⟨address-literal⟩s aren't allowed as arguments to the HELO command. Any comments, suggestions? Thanks, Mono [1] https://datatracker.ietf.org/doc/html/rfc5321#section-2.3.5 [2] https://www.iana.org/assignments/special-use-domain-names/special-use-domain-names.xhtml [3] https://www.iana.org/assignments/iana-ipv4-special-registry/iana-ipv4-special-registry.xhtml
signature.asc
Description: PGP signature
