[978] in linux-security and linux-alert archive

home help back first fref pref prev next nref lref last post

Re: [linux-security] sendmail security

daemon@ATHENA.MIT.EDU (Kai Henningsen)
Sun Jul 28 08:46:57 1996

Date: 27 Jul 1996 23:08:00 +0200
From: kai@khms.westfalen.de (Kai Henningsen)
To: linux-security@tarsier.cv.nrao.edu
In-Reply-To: <6DflrOEUcsB@khms.westfalen.de>

kai@khms.westfalen.de (Kai Henningsen)  wrote on 27.07.96 in <6DflrOEUcsB@khms.westfalen.de>:

>          *    The FROM field SHOULD contain both (1) the name of the
>               source host as presented in the HELO command and (2) a
>               domain literal containing the IP address of the source,
>               determined from the TCP connection.
>
> [REW: deleted some more. If I'm not mistaken "SHOULD" is explained to
> mean the same as "MUST" in the RFC's.]

Very much nope:


      1.3.2  Requirements

         In this document, the words that are used to define the
         significance of each particular requirement are capitalized.
         These words are:

         *    "MUST"

              This word or the adjective "REQUIRED" means that the item
              is an absolute requirement of the specification.

         *    "SHOULD"

              This word or the adjective "RECOMMENDED" means that there
              may exist valid reasons in particular circumstances to
              ignore this item, but the full implications should be
              understood and the case carefully weighed before choosing
              a different course.

         *    "MAY"

              This word or the adjective "OPTIONAL" means that this item
              is truly optional.  One vendor may choose to include the
              item because a particular marketplace requires it or
              because it enhances the product, for example; another
              vendor may omit the same item.


         An implementation is not compliant if it fails to satisfy one
         or more of the MUST requirements for the protocols it
         implements.  An implementation that satisfies all the MUST and
         all the SHOULD requirements for its protocols is said to be
         "unconditionally compliant"; one that satisfies all the MUST
         requirements but not all the SHOULD requirements for its
         protocols is said to be "conditionally compliant".

[REW: Ok. I stand corrected. Thanks. However, I'd consider receiving
mail through an uucp from a host not having an IP address a "valid
reason" not to mention the IP address. In the case of the SMTP
protocol the other side not having an IP address seems highly
unlikely.... :-) Conclusion: Smail can be configured to be
non-compliant. This is the default configuration on some
distributions.  In my eyes the absense of a "valid reason" not
implementing a SHOULD makes for a violation of the RFC.]


MfG Kai

home help back first fref pref prev next nref lref last post