[Pymilter] hostname in Authentication-Results
Stuart D Gathman
stuart at gathman.org
Sun Mar 9 17:21:34 EDT 2025
On Fri, 7 Mar 2025, Marco Moock wrote:
> During debugging other stuff, somebody noticed, that the hostname in
> Authentication-Results: is not fully qualified. I would like to use the
> FQDN here, as the assumption is that different names cause OpenDMARC
> not to recognize the header.
>
> Other tools like OpenDKIM use the FQDN of my machine.
SMTP RFCs do indeed say you MUST use a FQDN.
Pyspf obtains the hostname via socket.gethostname(). An MTA should have
a FQDN configured (e.g. via hostnamectl), but some people use a single
word. (Just as they incorrectly use an unqualified name for HELO in
sendmail config.)
Possible corrections:
1) Emphasize in docs that hostname MUST be a FQDN. How this is
configured depends on distro. It can be /etc/hostname or use
hostnamectl (systemd), or some other method.
2) Have pyspf use socket.getfqdn() instead. This looks up hostname from
local IP and uses the first that contains a period, or
socket.gethostname(). All kinds of things can go wrong with this.
I don't recommend it.
3) Have a special pyspf config to override socket.gethostname(). This
is relatively safe - but then admins will wonder what to put in this
(redundant) config and still put in an unqualified name. Just fix the
hostname already.
4) Have pyspf use milter API to obtain the MTA name configured for HELO
- which is *supposed* to be the fully qualified hostname. Again, this
is misconfigured even more often than hostname.
5) Have pyspf check that socket.gethostname() is indeed a FQDN, and
throw a (hopefully informative) exception if that is not that case.
Have listed these, I lean toward #5.
> Is that an issue of pyspf or at another place?
Depends on your distro. What is in /etc/hostname? Does your system use
systemd?
More information about the Pymilter
mailing list