SMTP客户端必须在HELO中为MTA提供全局可解析的主机名吗?

时间:2022-06-01 19:24:38

In short: I'm trying to figure out if I should tell a mail administrator of a friend's employer whether their mail configuration should be fixed, or if I should revise my own policy to be more liberal in what I accept, or neither.

简而言之:我正在试图弄清楚我是否应该告诉朋友的雇主的邮件管理员他们的邮件配置是否应该修复,或者我是否应该修改我自己的政策以使我接受的更*,或者两者都不。

A friend was complaining of being unable to reach anything on my mailserver. I dug into it and it seems that the hostname provided by his mail server when it connected to mine was somewhere in the *.local space, meaning it wasn't globally resolvable.

一位朋友抱怨我的邮件服务器上无法访问任何内容。我挖了它,似乎他连接到我的邮件服务器提供的主机名在* .local空间的某个地方,这意味着它不是全局可解析的。

They were rejected with "Helo command rejected: Host not found;" by my postfix mailserver. I'm perhaps strict on my UCE checks in postfix, so I whitelisted their (in my opinion, misconfigured) server but now I'm trying to figure out to what extent they actually are misconfigured, versus whether I'm just being too harsh in what I accept.

他们被拒绝,“Helo命令被拒绝:主机未被发现;”通过我的postfix邮件服务器。我可能对后缀中的UCE检查严格,所以我将他们(在我看来,配置错误)服务器列入白名单,但现在我正在试图弄清楚他们实际上在多大程度上错误配置,而不是我是否过于苛刻在我接受的。

So then I checked the RFCs - RFC 821 says "The HELO receiver MAY verify that the HELO parameter really corresponds to the IP address of the sender. However, the receiver MUST NOT refuse to accept a message, even if the sender's HELO command fails verification." which suggests to me that I'm actually the one violating the RFC.

然后我检查了RFC - RFC 821说“HELO接收器可以验证HELO参数确实对应于发送方的IP地址。但是,即使发送方的HELO命令验证失败,接收方也不能拒绝接受消息“。这告诉我,我实际上是违反RFC的人。

Was this portion of RFC 821 ever replaced by a future RFC, that I can point to? Or must mail servers accept mail with bogus HELOs? Are there any well respected authorities I can point to that state the HELO hostname should be valid, as a reference for contacting their mail admin?

RFC 821的这部分是否已被未来的RFC取代,我可以指出?或者邮件服务器必须接受伪造的HELO邮件吗?是否有任何受到尊重的权限,我可以指出HELO主机名应该有效,作为联系他们的邮件管理员的参考?

5 个解决方案

#1


2  

SMTP RFCs do not require it, but lots of popular systems will reject mail with bogus HELOs. Note that RFC 1033 and RFC 1912 both require all internet-reachable hosts to have a valid name; simply listing that name in the HELO will fix many problems. Some spam filters, unfortunately, also reject mail from hostnames containing strings that imply they are in dynamic address pools (e.g. "dynamic", "dsl", or a dash-separated IP address as is common with many ISPs).

SMTP RFC不需要它,但许多流行的系统将拒绝伪造的HELO邮件。请注意,RFC 1033和RFC 1912都要求所有可访问Internet的主机都具有有效名称;只需在HELO中列出该名称即可解决许多问题。遗憾的是,一些垃圾邮件过滤器还拒绝来自包含字符串的主机名的邮件,这些字符串意味着它们位于动态地址池中(例如“动态”,“dsl”或许多ISP常见的划分频率的IP地址)。

One option if your friend does not have control over their reverse DNS is to use a suitable machine as smarthost for outgoing mail; e.g. their ISP's mailserver.

如果您的朋友无法控制其反向DNS,则可以选择使用合适的计算机作为外发邮件的智能主机;例如他们的ISP的邮件服务器。

#2


6  

Strictly, you're both violating the RFC.

严格来说,你们都违反了RFC。

The sections of note are:

注意的部分是:

The sender-SMTP MUST ensure that the parameter in a HELO command is a valid principal host domain name for the client host.

sender-SMTP必须确保HELO命令中的参数是客户端主机的有效主体主机域名。

and

The HELO receiver MAY verify that the HELO parameter really corresponds to the IP address of the sender. However, the receiver MUST NOT refuse to accept a message, even if the sender's HELO command fails verification.

HELO接收器可以验证HELO参数是否真正对应于发送方的IP地址。但是,即使发送方的HELO命令未通过验证,接收方也不得拒绝接受消息。

Due to the prevalence of spam, mailservers these days are considerably stricter than the RFCs say they should be, and it is common to find all sorts of proprietary checks and reasons for rejection.

由于垃圾邮件的普遍存在,邮件服务器现在比RFC所说的要严格得多,并且通常会发现各种专有检查和拒绝原因。

However, they're not doing themselves any favours at all by having an incorrect hostname in their HELO string. Whereas your mailserver will probably work perfectly well, theirs is likely to have trouble sending and receiving email from many systems.

但是,他们在HELO字符串中输入的主机名不正确,根本没有任何好处。虽然您的邮件服务器可能运行良好,但他们可能无法从许多系统发送和接收电子邮件。

I would let them know. If only because of their misconfiguration, they're probably not getting all the email they should be.

我会告诉他们的。如果仅仅是因为他们的配置错误,他们可能没有得到他们应该的所有电子邮件。

#3


4  

As you cite, the RFC 822 standard leaves the behavior up to the MTA. These days, rejecting connections at the HELO stage if the name can't be resolved (and checking it against a blacklist such as spamhaus) is the only way for MTAs to keep up with the flood of spam generated by botnets.

正如您所引用的那样,RFC 822标准将行为留给了MTA。如今,如果无法解析名称(并将其与垃圾邮件等黑名单进行核对),则拒绝HELO阶段的连接是MTA跟上僵尸网络产生的大量垃圾邮件的唯一途径。

So there's no standard that says you MUST, but if you don't, your email won't get very far.

所以没有标准说你必须,但如果你没有,你的电子邮件将不会走得太远。

#4


1  

Yes they should. Lots of other systems, including yahoo, will reject mail from hostnames they can't reverse map to the connecting IP, or that they can't resolve.

是的他们应该。许多其他系统,包括雅虎,将拒绝来自主机名的邮件,他们无法反向映射到连接IP,或者他们无法解决。

#5


0  

Eh, I disagree. It can provide total garbage within the EHLO/HELO if it wants to. As long as it says something, and as long as I can resolve the ip address it's coming from, I'm happy.

呃,我不同意。如果需要,它可以在EHLO / HELO中提供总垃圾。只要它说了些什么,只要我能解决它来自的IP地址,我很高兴。

Inside the EHLO is often a short hostname, not a FQDN.

在EHLO内部通常是一个短主机名,而不是FQDN。

#1


2  

SMTP RFCs do not require it, but lots of popular systems will reject mail with bogus HELOs. Note that RFC 1033 and RFC 1912 both require all internet-reachable hosts to have a valid name; simply listing that name in the HELO will fix many problems. Some spam filters, unfortunately, also reject mail from hostnames containing strings that imply they are in dynamic address pools (e.g. "dynamic", "dsl", or a dash-separated IP address as is common with many ISPs).

SMTP RFC不需要它,但许多流行的系统将拒绝伪造的HELO邮件。请注意,RFC 1033和RFC 1912都要求所有可访问Internet的主机都具有有效名称;只需在HELO中列出该名称即可解决许多问题。遗憾的是,一些垃圾邮件过滤器还拒绝来自包含字符串的主机名的邮件,这些字符串意味着它们位于动态地址池中(例如“动态”,“dsl”或许多ISP常见的划分频率的IP地址)。

One option if your friend does not have control over their reverse DNS is to use a suitable machine as smarthost for outgoing mail; e.g. their ISP's mailserver.

如果您的朋友无法控制其反向DNS,则可以选择使用合适的计算机作为外发邮件的智能主机;例如他们的ISP的邮件服务器。

#2


6  

Strictly, you're both violating the RFC.

严格来说,你们都违反了RFC。

The sections of note are:

注意的部分是:

The sender-SMTP MUST ensure that the parameter in a HELO command is a valid principal host domain name for the client host.

sender-SMTP必须确保HELO命令中的参数是客户端主机的有效主体主机域名。

and

The HELO receiver MAY verify that the HELO parameter really corresponds to the IP address of the sender. However, the receiver MUST NOT refuse to accept a message, even if the sender's HELO command fails verification.

HELO接收器可以验证HELO参数是否真正对应于发送方的IP地址。但是,即使发送方的HELO命令未通过验证,接收方也不得拒绝接受消息。

Due to the prevalence of spam, mailservers these days are considerably stricter than the RFCs say they should be, and it is common to find all sorts of proprietary checks and reasons for rejection.

由于垃圾邮件的普遍存在,邮件服务器现在比RFC所说的要严格得多,并且通常会发现各种专有检查和拒绝原因。

However, they're not doing themselves any favours at all by having an incorrect hostname in their HELO string. Whereas your mailserver will probably work perfectly well, theirs is likely to have trouble sending and receiving email from many systems.

但是,他们在HELO字符串中输入的主机名不正确,根本没有任何好处。虽然您的邮件服务器可能运行良好,但他们可能无法从许多系统发送和接收电子邮件。

I would let them know. If only because of their misconfiguration, they're probably not getting all the email they should be.

我会告诉他们的。如果仅仅是因为他们的配置错误,他们可能没有得到他们应该的所有电子邮件。

#3


4  

As you cite, the RFC 822 standard leaves the behavior up to the MTA. These days, rejecting connections at the HELO stage if the name can't be resolved (and checking it against a blacklist such as spamhaus) is the only way for MTAs to keep up with the flood of spam generated by botnets.

正如您所引用的那样,RFC 822标准将行为留给了MTA。如今,如果无法解析名称(并将其与垃圾邮件等黑名单进行核对),则拒绝HELO阶段的连接是MTA跟上僵尸网络产生的大量垃圾邮件的唯一途径。

So there's no standard that says you MUST, but if you don't, your email won't get very far.

所以没有标准说你必须,但如果你没有,你的电子邮件将不会走得太远。

#4


1  

Yes they should. Lots of other systems, including yahoo, will reject mail from hostnames they can't reverse map to the connecting IP, or that they can't resolve.

是的他们应该。许多其他系统,包括雅虎,将拒绝来自主机名的邮件,他们无法反向映射到连接IP,或者他们无法解决。

#5


0  

Eh, I disagree. It can provide total garbage within the EHLO/HELO if it wants to. As long as it says something, and as long as I can resolve the ip address it's coming from, I'm happy.

呃,我不同意。如果需要,它可以在EHLO / HELO中提供总垃圾。只要它说了些什么,只要我能解决它来自的IP地址,我很高兴。

Inside the EHLO is often a short hostname, not a FQDN.

在EHLO内部通常是一个短主机名,而不是FQDN。