Re: Reverse DNS lookups

Top Page
Delete this message
Reply to this message
Author: Philip Hazel
Date:  
To: mgriffit
CC: EXIM-USERS
Subject: Re: Reverse DNS lookups
On Mon, 30 Jun 1997 mgriffit@??? wrote:

> Is it possible to configure Exim to do 'reverse DNS lookup' verification on
> incoming SMTP hosts. Our current setup using PP has this enabled, so will reply
> with a 421 error causing:
>
>    PP cannot resolve address. 'nnn.nnn.nnn.nnn'
>    ...Deferred: Connection reset by peer ..........


(1) If you set helo_verify_nets to match all networks, Exim will do a
reverse lookup for every host. However, if it fails, it does not stop
Exim receiving the message. This is because RFC 1123 says:

      5.2.5  HELO Command: RFC-821 Section 3.5


         The sender-SMTP MUST ensure that the <domain> parameter in a
         HELO command is a valid principal host domain name for the
         client host.  As a result, the receiver-SMTP will not have to
         perform MX resolution on this name in order to validate the
         HELO parameter.


         The HELO receiver MAY verify that the HELO parameter really
         corresponds to the IP address of the sender.  However, the
         receiver MUST NOT refuse to accept a message, even if the
         sender's HELO command fails verification.


OK, it doesn't exactly say "you must not refuse a message if you can't
reverse look up the IP address", but I take it in that spirit.

Personally, I think it wastes a lot of time reverse looking up *every*
incoming host address. We configure Exim just to do it for the local
networks, so as to get a valid host name to log from incoming messages
from MUAs that are misconfigured.

(2) A reverse lookup is also done by Exim if one of its blocking
configurations requires it. If you say

sender_host_accept = a.b.c.d

then it does a *forward* lookup, once and for all, at startup. However,
if you say

sender_host_accept = *.b.c.d

then it has to do a reverse lookup for each incoming call. You could
probably subvert this into making it do a lookup for every call with
something like

sender_host_accept = ^.*$

(The case of just "*" is optimised not to do a lookup.) However, if the
lookup fails, Exim gives a 5xx error rather than a 4xx error. Not that
that will stop a remote MTA trying again.

Philip

-- 
Philip Hazel                   University Computing Service,
ph10@???             New Museums Site, Cambridge CB2 3QG,
P.Hazel@???          England.  Phone: +44 1223 334714