On Tue, 4 Aug 1998, James FitzGibbon wrote:
> We think we've found a small bug in exim's host_lookup routines,
> specifically those dealing with reverse DNS for a host.
>
> Let's say that we want to run a mail server that does not care if you have
> proper reverse DNS. If you include sender_{host,net}_reject lines in your
> config file, exim will always reject connections from such hosts, even if
> you don't use host_lookup_nets.
Not strictly accurate. If you include sender_host_reject (note, host,
not net) AND the contents of that option are wildcarded, then Exim has
to do a DNS reverse lookup. Otherwise, if you are using a daemon, it
does a forward lookup when it starts up. So:
Case A: you say
sender_host_reject = a.complete.host.name
When the daemon starts up, it does a forward lookup on the name
and saves the IP address. When a connection happens, it
compares the IP address.
Case B: you say
sender_host_reject = *.partial.domain
When a connection happens, Exim does a reverse lookup on the IP
address in order to obtain the host name. Then it can match
that name against "*.partial.domain". That is the only thing it
can do - it can't trust the data in the HELO line because that
is trivally forged. (And anyway, it hasn't received the HELO
line yet.)
When the reverse DNS lookup fails, by default, Exim has to reject the
call, for safety. In effect, the host name is unknown. However, you can
configure it to accept instead, by setting, for example,
sender_host_reject = +accept_unknown:*.partial.domain
so that it will accept hosts whose names are unknown. All this is
explained in sections 7.15 (Host lists) and 41.2 (Other host checking)
of the 2.0 edition of the manual.
The alternative is to specify rejections by IP address, but this isn't
very nice.
--
Philip Hazel University of Cambridge Computing Service,
ph10@??? Cambridge, England. Phone: +44 1223 334714.
--
*** Exim information can be found at
http://www.exim.org/ ***
