[29946] in North American Network Operators' Group
RE: RBL-type BGP service for known rogue networks?
daemon@ATHENA.MIT.EDU (Karyn Ulriksen)
Mon Jul 10 12:13:53 2000
Message-ID: <0127E258EE29D3118A0F00609765B44831789F@subnet-gw-00053.sitestream.net>
From: Karyn Ulriksen <kulriksen@publichost.com>
To: 'Shawn McMahon' <smcmahon@eiv.com>, nanog@merit.edu
Date: Mon, 10 Jul 2000 09:06:49 -0700
MIME-Version: 1.0
Content-Type: text/plain;
charset="windows-1252"
Errors-To: owner-nanog-outgoing@merit.edu
Shawn,
I noticed that in BIND8, DNS gets _VERY_ unhappy if you use a CNAME for
the zone's MX. Maybe there's something else at work....
Karyn
-----Original Message-----
From: Shawn McMahon [mailto:smcmahon@eiv.com]
Sent: Monday, July 10, 2000 8:38 AM
To: nanog@merit.edu
Subject: Re: RBL-type BGP service for known rogue networks?
On Mon, Jul 10, 2000 at 11:10:35AM -0400, Greg A. Woods wrote:
>
> However I should have listed the other requirement that I thought was
> self-obvious since we're talking about SMTP here. I.e. I don't ever
> accept e-mail from anything less than the most strictly conforming SMTP
> implementations. You're violating part one of RFC 1123 section #5.2.5.
> The name given by your SMTP server in the HELO "MUST" be a canonical
> hostname. It must not be a CNAME.
Oh, you wanna go there?
5.2.5 HELO Command: RFC-821 Section 3.5
The sender-SMTP MUST ensure that the <domain> parameter in a
HELO command is a valid principal host domain name for the
client host. As a result, the receiver-SMTP will not have to
perform MX resolution on this name in order to validate the
HELO parameter.
The HELO receiver MAY verify that the HELO parameter really
corresponds to the IP address of the sender. However, the
receiver MUST NOT refuse to accept a message, even if the
sender's HELO command fails verification.
Hmm. MUST NOT refuse. Who's violating the RFC here, again?
*ANYBODY* using sendmail from a dynamic IP is either going to do this, or
worse. RFC 1123 requires you to live with it.
If you choose not to, don't wave the damn RFC around like a magic shield.
CNAMEs are "valid principal host domain name[s]". Nothing in the RFC
says it can't be a CNAME, but something in the RFC says you have to accept
it even if it's flat-out wrong or a lie.
Your thin ice just cracked, Greg. Admit you're wrong and get on with your
life.
You're not running an RFC 1123-compliant mail setup at present.
