Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email email@example.com
From: Jeroen Geilman (jeroenadaptr.nl)
Date: Fri Jun 11 2010 - 12:38:28 CDT
On 06/11/2010 05:48 PM, Stan Hoeppner wrote:
> Wietse Venema put forth on 6/11/2010 9:21 AM:
>> Stan Hoeppner:
>>> Does Postfix consider "architettobellucci.com" an FQDN? I've always
>>> understood an FQDN as requiring all 3 of host.domain.tld. If my understanding
>>> of FQDN is correct, then a spam slipped through that I believe should have
>>> been rejected by reject_non_fqdn_helo_hostname. What have I configured
>>> incorrectly that allowed this spam through?
>> Postfix's reject_non_fqdn_mumble features were intended to stop
>> hosts that announce themselves by their netbios name (e.g., HELO
>> Postfix does not know where the registration boundaries are (.com
>> and .org versus .co.uk and .ac.jp). Thus it uses the simplistic
>> "does the name contain at least one dot". This is by no means
>> bullet-proof with hosts (or domains) at the top level.
> Thanks Wietse. For some reason I'd always assumed it was a little more
> sophisticated than that. But as you point out, and upon reflection, it seems
> it'd be pretty difficult to code this level of sophistication into the fqdn
As per DNS, any valid domain construct is, by definition, a valid hostname.
So foo.com is just as fully-qualified as bar.baz.sub.foo.com - just a
whole lot shorter.
For this simple reason, it is not possible to determine whether a
hostname is fully-qualified by its appearance alone.
A more complete check is to use reject_unknown_helo_hostname - this
verifies whether such a hostname actually *exists* in DNS, thus also
fulfilling the non-fqdn-check's premise of testing for a fqdn (a DNS A
record is, by definition, a fqdn.)
However, it costs a little more, of course - it has to do the lookup.