On Sun, Dec 15, 2019 at 02:03:25PM -0800, Randy Bush wrote:
> I gotta ask two technical questions.
>
> o would it be technically easy for the smtp servers to accept ip
> literals in a conforming manner? yes, this is a question for my
> esteemed friend glen and his partner in crime, matt.
Since the servers in question run Postfix, I feel I am well placed to
answer that question with a "yes". Indeed Postfix accepts IP address
literals in helo names by default. Even when Postfix is configured
to reject non-FQDN forms:
http://www.postfix.org/postconf.5.html#reject_non_fqdn_helo_hostname
Reject the request when the HELO or EHLO hostname is not in
fully-qualified domain or address literal form, as required by the
RFC.
address literals are still accepted.
It takes some effort to get Postfix to reject address literals, the
administrator would have to implement a custom regular expression table,
to accept some and reject other HELO name forms. For example:
main.cf:
smtpd_helo_restrictions =
permit_mynetworks,
permit_sasl_authenticated,
reject_non_fqdn_helo_hostname,
check_helo_access pcre:${config_directory}/helo.pcre
helo.pcre:
/^\[/ REJECT Address literals not welcome here
> o what would the technical and/or security exposure or other
> downside(s) be of doing so?
Use of address literals is not common among carefully configured,
well-maintained Internet-facing outbound relay MTAs. There is likely
some positive correlation between address-literal use and generally
sloppy MTA configuration, which might open said MTAs to abuse.
That said, I personally doubt that use of address literals is a
high-quality signal that distinguishes legitimate MTAs from abuse
sources. It is merely a small indicator that the sending MTA is
not up to best-practice.
Keeping out junk is unavoidably a balancing act of trade-offs, some
legitimate traffic is liable to get blocked. The key question with
any approach one takes is whether it is sufficiently effective (how
much junk is blocked) and whether the FP rate is low enough.
--
Viktor.
P.S.
In my own Postfix configuration, I see:
/^[\d.]+$/ 550 Your software is not RFC 2821 compliant
which blocks "HELO 192.0.2.1", but not "HELO [192.0.2.1]". It could
have been more precise to match only dotted quads.
/^(?:\d+\.){3}\d+$/ 550 Your software is not RFC 2821 compliant
Perhaps somewhere along the way, someone came up with a variant
that does block address literals, whether deliberately or by
accident.
