From: Jeroen Geilman (jeroenadaptr.nl)
Date: Fri Jun 11 2010 - 12:38:28 CDT

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On 06/11/2010 05:48 PM, Stan Hoeppner wrote:
> Wietse Venema put forth on 6/11/2010 9:21 AM:
>
>> Stan Hoeppner:
>>
>>> Does Postfix consider "architettobellucci.com" an FQDN? I've always
>>> understood an FQDN as requiring all 3 of host.domain.tld. If my understanding
>>> of FQDN is correct, then a spam slipped through that I believe should have
>>> been rejected by reject_non_fqdn_helo_hostname. What have I configured
>>> incorrectly that allowed this spam through?
>>>
>> Postfix's reject_non_fqdn_mumble features were intended to stop
>> hosts that announce themselves by their netbios name (e.g., HELO
>> OEMCOMPUTER).
>>
>> Postfix does not know where the registration boundaries are (.com
>> and .org versus .co.uk and .ac.jp). Thus it uses the simplistic
>> "does the name contain at least one dot". This is by no means
>> bullet-proof with hosts (or domains) at the top level.
>>
>
> Thanks Wietse. For some reason I'd always assumed it was a little more
> sophisticated than that. But as you point out, and upon reflection, it seems
> it'd be pretty difficult to code this level of sophistication into the fqdn
> checking.
>

As per DNS, any valid domain construct is, by definition, a valid hostname.
So foo.com is just as fully-qualified as bar.baz.sub.foo.com - just a
whole lot shorter.
For this simple reason, it is not possible to determine whether a
hostname is fully-qualified by its appearance alone.

A more complete check is to use reject_unknown_helo_hostname - this
verifies whether such a hostname actually *exists* in DNS, thus also
fulfilling the non-fqdn-check's premise of testing for a fqdn (a DNS A
record is, by definition, a fqdn.)

However, it costs a little more, of course - it has to do the lookup.

J.

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]