Earlier this week we learned that GoDaddy was blocking legitimate mail from Modwest customers to GoDaddy customers. A quick call to their HQ revealed that they were blocking one of our mail servers because of a "bogus helo" problem, which, in their words, generally indicated the presence of a spam or virus outbreak. Once we eliminated this possibility and ensured our strict spam policies were being followed, I asked Mike, our senior sysadmin and Operations Manager, for his analysis of the GoDaddy's policy. Here's what he had to say:
Why is the policy of checking SMTP/ESMTP HELO/EHLO bad? RFC2821 (which supersedes RFC821 as the SMTP/ESMTP standard) Section 4.1.1.1 describes the SMTP HELO and ESMTP EHLO Command, response, and requirements. An EHLO or HELO is a MUST for SMTP clients. RFC2821 Sec. 4.1.1.1 states exactly this "The argument field contains the fully-qualified domain name of the SMTP client if one is available." There are many cases where one is not available. Or where an accurate one is not available.
Now, strictly speaking, if one can't determine a valid domain you're supposed to use what RFC2821 calls an "address literal". This amounts to your IPv4 or IPv6 address enclosed in []. All of this is problematic. In the case of using a domain name, what is the "correct" domain name? Well RFC2821 makes that very clear. Section 3.6 addresses what a domain name is in this case. Specifically it states:
* The domain name given in the EHLO command MUST BE either a primary host name (a domain name that resolves to an A RR) or, if the host has no name, an address literal as described in section 4.1.1.1.
* The reserved mailbox name "postmaster" may be used in a RCPT command without domain qualification (see section 4.1.1.3) and MUST be accepted if so used.
So the second bit isn't applicable in this case. We're talking about a domain, not an address, but the second first part is.
In our case we have a large mail cluster whose primary host name is mail.modwest.com, which has an associated A record. The RFC does NOT make any requirement as to that A record matching the IPv4 or IPv6 address we're connecting to the remote host from. But when presented with this as a HELO/EHLO domain, GoDaddy refuses the message with a hard failure. So our case of using the HELO/EHLO is clearly supported by the RFC. GoDaddy refusing to accept the mail at that point, claiming a violation of HELO/EHLO being refused is unsupported by the governing standard in the case that our server says "EHLO mail.modwest.com".
Now, it is possible that GoDaddy is rejecting mail because of suspected virus load coming from a particular machine, but again, it should not be stating the problem to be an invalid HELO/EHLO if this is the case. If you can't accurately identify to the sender the reason why you're rejecting a message, at the time you reject it, you should not reject it.
So why might the domain name not be available for HELO/EHLO? It may be a case of DHCP environments, where you don't know what your rDNS should be. It may be the case of a large cluster of machines that appear as the same machine. It may be the case of a single machine with multiple interfaces. (Only the kernel initially knows the interface and therefore IP that was used for an outbound connection, unless you explicitly force them to come from a particular IP, but that can have other nasty interactions with stateful firewalls and reverse path filters. )
So there you have it. GoDaddy, we'd love to work together with you to reduce spam and malware. But can you let our customers' legitimate mail through to your customers now? We're pretty sure both sides would appreciate it.
UPDATE 4/20: GoDaddy says they've unblocked the mail server in question, and it seems to be the case.
-JM
Subscribe to this blog's feed