[Slackbuilds-users] MTA used by submission form doesn't use FQDN in HELO

Rob McGee rob0 at slackbuilds.org
Wed Jan 17 23:57:36 UTC 2018 

On Wed, Jan 17, 2018 at 05:02:01PM +0000, Sebastian Arcus wrote:
> The submission form at SBo does a check on the email address to the
> originating MTA when a package is uploaded.

The check is done at the MX for the domain, specifically.

> However, the MTA used by the submission form uses just 
> "slackbuilds.org" as HELO name. I know the RFC only recommends,
> not requires, a FQDN for smtp HELO names,

(Note, there is no MTA involved.  This is just a simple PHP form 
attempting to validate the email addresses it is given.)

FQDN as HELO is required, but indeed "slackbuilds.org" is a FQDN.  If 
you're using Postfix, note that the smtpd restriction, 
"reject_non_fqdn_helo_hostname", would not reject that.  Neither 
would "reject_invalid_helo_hostname"; it's a perfectly valid HELO 
hostname in accordance with RFC5321 and related standards.

Note also that the host has forward-confirmed reverse DNS as 
"slackbuilds.org", so that HELO name really is the most appropriate 
choice.  We're also listed in DNSWL.org, and spam complaints would 
have us removed from that list.

> ... but the vast majority of reputable SMTP servers use an FQDN 
> nowadays. So much so that, as an email server admin, you are pretty 
> safe rejecting connections presenting any other type of HELO, as 
> they are 99.9% spam from trojan bots.

I think there are usually safer indications of spam zombies than 
a FQDN HELO hostname consisting of only two labels.  But I'll concede 
your point, that the vast majority of good mailers have three or more 
labels in their hostname.

> I just tried to upload a package update at SBo, and had my email 
> address rejected, as my own email server, in turn, rejected the 
> connection attempt from SBo. I temporarily disabled the relevant 
> check in my config,

Would you mind telling me what you did that rejected this?  Also 
please share your MTA logs of the rejection.  Offlist is fine if 
you're shy about posting logs here.

> ... but would it be possible to reconfigure the MTA at SBo's end
> at some point, to present a FQDN, not just "slackbuilds.org"?

Thank you for the suggestion.  While I disagree with the details, 
such as what constitutes a FQDN, we are not [yet?] rejecting the 
idea.  It's possible that this has been the reason for other sites 
rejecting our email address probes.

> The mailing list comes from a different
> MTA, I presume, as it presents a proper HELO. Only a suggestion.

Yes, the list is from a MTA at a different site.
-- 
    Rob McGee - /dev/rob0 - rob0 at slackbuilds.org

More information about the SlackBuilds-users mailing list