[978] in linux-security and linux-alert archive
Re: [linux-security] sendmail security
daemon@ATHENA.MIT.EDU (Kai Henningsen)
Sun Jul 28 08:46:57 1996
Date: 27 Jul 1996 23:08:00 +0200
From: kai@khms.westfalen.de (Kai Henningsen)
To: linux-security@tarsier.cv.nrao.edu
In-Reply-To: <6DflrOEUcsB@khms.westfalen.de>
kai@khms.westfalen.de (Kai Henningsen) wrote on 27.07.96 in <6DflrOEUcsB@khms.westfalen.de>:
> * The FROM field SHOULD contain both (1) the name of the
> source host as presented in the HELO command and (2) a
> domain literal containing the IP address of the source,
> determined from the TCP connection.
>
> [REW: deleted some more. If I'm not mistaken "SHOULD" is explained to
> mean the same as "MUST" in the RFC's.]
Very much nope:
1.3.2 Requirements
In this document, the words that are used to define the
significance of each particular requirement are capitalized.
These words are:
* "MUST"
This word or the adjective "REQUIRED" means that the item
is an absolute requirement of the specification.
* "SHOULD"
This word or the adjective "RECOMMENDED" means that there
may exist valid reasons in particular circumstances to
ignore this item, but the full implications should be
understood and the case carefully weighed before choosing
a different course.
* "MAY"
This word or the adjective "OPTIONAL" means that this item
is truly optional. One vendor may choose to include the
item because a particular marketplace requires it or
because it enhances the product, for example; another
vendor may omit the same item.
An implementation is not compliant if it fails to satisfy one
or more of the MUST requirements for the protocols it
implements. An implementation that satisfies all the MUST and
all the SHOULD requirements for its protocols is said to be
"unconditionally compliant"; one that satisfies all the MUST
requirements but not all the SHOULD requirements for its
protocols is said to be "conditionally compliant".
[REW: Ok. I stand corrected. Thanks. However, I'd consider receiving
mail through an uucp from a host not having an IP address a "valid
reason" not to mention the IP address. In the case of the SMTP
protocol the other side not having an IP address seems highly
unlikely.... :-) Conclusion: Smail can be configured to be
non-compliant. This is the default configuration on some
distributions. In my eyes the absense of a "valid reason" not
implementing a SHOULD makes for a violation of the RFC.]
MfG Kai