Re: HELO [1.2.3.4] wrong policy checking

[Matti Aarnio <mea@nic.funet.fi>]

On Wed, Sep 12, 2001 at 09:56:41PM +0400, Eugene Crosser wrote:
> If on incoming connection remote gives us HELO with IP literal that
> belongs to a forbidden network it results in rejection of mail.
> I think this is not right.  HELO string should not be checked
> as notoriously as real IP address of the peer.

	The aim there has been (as I recall my own motivations for
	chosen logic) to allow oneself to define cases where some
	magic input is indicative of an absolutely no-no source.

> This behavior results in rejection of mail coming from (admittedly
> misconfigured) MTAs talking to us from a private network behind a NAT
> router.

	I don't (anymore) list private networks as rejected in the
	boilerplate   smtp-policy.src   file.

	If you have an early version in use, perhaps you need to
	remove those few lines ?

	Systems talking from behind NAT can be fully legitimate, no
	reason to reject them.

> I think the source of the problem is that pt_heloname calls check_doman
> in policytest.c:1181, and check_domain, when it gets IP literal, calls
> _addrtest_ in policytest.c:1039.  I don't feel that it is appropriate
> to check address where check of domain was requested.  Maybe even domain
> should not be checked in HELO parameter?..

	It is there just to enable trapping and rejection in style
	of HELO patterns in the  smtpserver.conf  file end, but
	using the policy framework.

> Any thoughts about how to fix this properly?

	Fix the   smtp-policy.src  boilerplate file ?

> Eugene

-- 
/Matti Aarnio	<mea@nic.funet.fi>
-
To unsubscribe from this list: send the line "unsubscribe zmailer" in
the body of a message to majordomo@nic.funet.fi