Re: [EXIM] Possible bug in hosts_lookup_nets ?

Top Page
Delete this message
Reply to this message
Author: Philip Hazel
Date:  
To: James FitzGibbon
CC: exim-users
Subject: Re: [EXIM] Possible bug in hosts_lookup_nets ?
On Tue, 4 Aug 1998, James FitzGibbon wrote:

> We think we've found a small bug in exim's host_lookup routines,
> specifically those dealing with reverse DNS for a host.
>
> Let's say that we want to run a mail server that does not care if you have
> proper reverse DNS. If you include sender_{host,net}_reject lines in your
> config file, exim will always reject connections from such hosts, even if
> you don't use host_lookup_nets.


Not strictly accurate. If you include sender_host_reject (note, host,
not net) AND the contents of that option are wildcarded, then Exim has
to do a DNS reverse lookup. Otherwise, if you are using a daemon, it
does a forward lookup when it starts up. So:

Case A:  you say     


         sender_host_reject = a.complete.host.name


         When the daemon starts up, it does a forward lookup on the name 
         and saves the IP address. When a connection happens, it 
         compares the IP address.


Case B: you say

         sender_host_reject = *.partial.domain


         When a connection happens, Exim does a reverse lookup on the IP 
         address in order to obtain the host name. Then it can match 
         that name against "*.partial.domain". That is the only thing it 
         can do - it can't trust the data in the HELO line because that 
         is trivally forged. (And anyway, it hasn't received the HELO 
         line yet.)


When the reverse DNS lookup fails, by default, Exim has to reject the
call, for safety. In effect, the host name is unknown. However, you can
configure it to accept instead, by setting, for example,

         sender_host_reject = +accept_unknown:*.partial.domain


so that it will accept hosts whose names are unknown. All this is
explained in sections 7.15 (Host lists) and 41.2 (Other host checking)
of the 2.0 edition of the manual.

The alternative is to specify rejections by IP address, but this isn't
very nice.


-- 
Philip Hazel            University of Cambridge Computing Service,
ph10@???      Cambridge, England. Phone: +44 1223 334714.



--
*** Exim information can be found at http://www.exim.org/ ***