OT: Seeking opinion about reverse-DNS lookups on SMTP HELO

Aleksandar Milivojevic amilivojevic at pbl.ca
Tue Dec 14 15:11:04 UTC 2004


HaJo Schatz wrote:
> To combat spam I have enabled reverse-DNS lookups of incoming SMTP 
> connections. If the FQDN does not match the HELO-Identity, I reject the 
> connection with a 550 Error.

Bad idea, as you witnessed on your own skin.  Checking the HELO argument 
sounds tempting in theory, but gets you in trouble sooner or later if 
you implement it in practice.

The relevant RFCs use words domain and hostname in different places when 
talking about argument to HELO command.  They also say you *may* check 
the argument, but you *should not* reject solely based on that check. 
It was simply never ment to be used for strict checking.  Don't use 
things for what they were not intended to be used, or you'll be burned.

-- 
Aleksandar Milivojevic <amilivojevic at pbl.ca>    Pollard Banknote Limited
Systems Administrator                           1499 Buffalo Place
Tel: (204) 474-2323 ext 276                     Winnipeg, MB  R3T 1L7




More information about the fedora-list mailing list