I have two questions about SMTP RFC:
What value should I pass as the argument for the EHLO command if I don't have my own domain name?
The domain name given in the EHLO command MUST be either a primary
host name (a domain name that resolves to an address RR) or, if
the host has no name, an address literal, as described in
Section 4.1.3 and discussed further in the EHLO discussion of
Section 4.1.4.
I don't really undesrstand Section 4.1.3. Can you give me an example or rephrase it?
Which headers are required to send in the DATA section?
Thanks in advance.
Argument to EHLO in the absence of a domain name
Section 4.1.3 Address Literals of RFC 2821 says:
Sometimes a host is not known to the domain name system and
communication (and, in particular, communication to report and repair
the error) is blocked. To bypass this barrier a special literal form
of the address is allowed as an alternative to a domain name. For
IPv4 addresses, this form uses four small decimal integers separated
by dots and enclosed by brackets such as [123.255.37.2], which
indicates an (IPv4) Internet Address in sequence-of-octets form.
so a simple EHLO [123.255.37.2] suffices (with the actual IP address of your SMTP server of course). Or it could be a properly formatted IPv6 instead.
Required headers
Section 3.6. Field definitions of RFC 2822 says:
The only required header fields are the origination date field and
the originator address field(s). All other header fields are
syntactically optional.
so only From: and Date: are required.
If you don't have a domain name, you should use your IP address:
EHLO [192.168.1.1]
It's kind of a ridiculous requirement in the protocol seeing as how there's no real value in this piece of information. The server shouldn't trust it (obviously) and it is trivial for the server to get the IP address of the connecting client, anyway.
Related
When I connect to an SMTP server, and issue an EHLO (ESMTP) greeting, some servers respond with:
250-STARTTLS
And other servers, respond with:
250 STARTTLS
Which is correct? RFC 3207 suggests that the hyphen is correct. But RFC 2487 suggests there shouldn't be a hyphen. Are they both correct? of course, deployed code usually takes precedence over standards, but it would be nice to clarify this.
As a random sample, MessageLabs offer "250 STARTTLS" whereas Hotmail/Outlook offer "250-STARTTLS".
The answer is in RFC 2821. It specifies the following:
Normally, the response to EHLO will be a multiline reply. Each line
of the response contains a keyword and, optionally, one or more
parameters. Following the normal syntax for multiline replies, these
keywords follow the code (250) and a hyphen for all but the last
line, and the code and a space for the last line
So RFC2487 has it without a space, because it's the last line of their sample SMTP session. RFC3207 has it with a hyphen, because it's not the last line (and this holds true for my Hotmail/Messagelabs example above).
The ip 0 is the simplest alias I've found to localhost, and most browsers can open the page http://0/ without problem.
When trying the same on Chrome, it always redirect me to the search page.. like it does not recognize that 0, 0:80, 127.1, o 127.1:80 are valid IPs -- although it ask if you meant 0.0.0.0 or 127.0.0.1
Chrome can, however, open the page http://0.0.0.0 correctly
Every HTTP URL consists of the following, in the given order. Several schemes other than HTTP also share this general format, with some variation.
the scheme name (commonly called protocol, although not every URL scheme is a protocol, e.g. mailto is not a protocol);
a colon, two slashes;
a host, normally given as a domain name but sometimes as a literal IP address;
optionally a colon followed by a port number;
the full path of the resource;
The scheme says how to connect, the host specifies where to connect, and the remainder specifies what to ask for.
For programs such as Common Gateway Interface (CGI) scripts, this is followed by a query string and an optional fragment identifier.
The syntax is:
scheme://domain:port/path?query_string#fragment_id
So basically http is valid scheme, :// are valid colon and two slashes, but 0 is not valid domain name or IP address. However, the http://0.0.0.0 are valid scheme and literal IP address, that's why Google Chrome opens it.
The domain name or literal numeric IP address gives the destination location for the URL. A literal numeric IPv6 address may be given, but must be enclosed in [ ] e.g. [db8:0cec::99:123a]
The fact that other browsers "convert" http://0/ into localhost or 127.x.x.x is just browser implementation, it is not by the standard.
More details:
IETF and IETF
Wikipedia
Scenario is this:
Parent.com can have a 'html only' file
and it has iframe with Iframe.com (php that i have full \controll ).
Question is this:
How can i check if iframe.com is loaded only by parent and cant be iframed by other domains
EDIT: Some solution suggest checking Referrer but this can be spoofed.
referer is as close as you can get before getting into really complicated territory.
While it can be spoofed, it can only be spoofed by the client. A third party website couldn't make the client spoof it.
That said, referer is optional. Browsers don't have to send it, and they tend not to under quite a lot of circumstances (such as when the referring document was served over HTTPS).
The following might work…
iframe.example.com uses server side code to request a token from framed.example.net, the request includes the ip address of the browser and a password authorising iframe.example.com to frame framed.example.net
framed.example.net generates a token and gives it to iframe.example.com, registering it against the ip address of the browser
iframe.example.com generates a URI with the token in the query string and uses it as the src to the iframe
framed.example.net checks that the token exists and the ip address in the record matches the ip address the request came from (the browser)
This will generate false negatives when the browser doesn't have a consistent ip address (such as when behind a group of proxy servers, which I seem to recall is quite common in cellular broadband), so I wouldn't recommend it.
X509v3 can contain IP address field in subject Alternative Name extension.
As an application verifying the server's identity, how should the IP address field be validated?
If both DNS name and IP address are present? Is there a preference of one over the another?
What is the use of dirName field?
I read RFC 2818 earlier but must have missed this part.
In some cases, the URI is specified as an IP address rather than a
hostname. In this case, the iPAddress subjectAltName must be present
in the certificate and must exactly match the IP in the URI.
My answer is based on my experience with TLS/SSL.
It's based upon the implementation of the certificate validation. To enforce IP address match, you have to implement that.
Whatever way you want. You could also check both.
Sorry no idea what this field does.
Have you checked the OpenSSL documentation?
Let E=encrypt(msg) D=digest(E)
If I send E+D to the peer. How is the peer supposed to know that it needs to split the incoming message at E and calculate its digest and verify against D.
Should the final msg contain some kind of length parameter or a delimiter
There's no magic mechanism to add signatures independent of protocol. Each network protocol that allows for digital signatures, or digests, or encryption, does so differently.
For example:
http://en.wikipedia.org/wiki/WS-Security