Re: [Exim] Prohibition message

Top Page
Delete this message
Reply to this message
Author: Peter Radcliffe
Date:  
To: exim-users
Subject: Re: [Exim] Prohibition message
Philip Hazel <ph10@???> probably said:
> We define it always. Period. (And run software - makezones - that
> insists on it.)


Which is great when you have that level of control over the DNS. I do
over all the places I have machines that send mail to other mail
servers, currently.

We don't define reverse DNS at work until needed, since then it can
get out and be valid faster when it is assigned.

> host_reject_recipients = *.well.known.spammer.domain


which ends up blocking hosts without DNS. No, I'm not missing the point.

> is easier to set up than finding out all the network addresses of that
> domain. However, if you have any blocks like this, Exim has to do a
> reverse DNS lookup in order to find out the sending host's name, in
> order to do the wildcard match. If it can't find out the name, it has no
> option but to block, just in case. That's what's happened in a lot of
> these cases.


That style of blocking is not something I'd ever rely on. I block by
IP range or use *. with +allow_unknown and fill in any gaps. DNS is
too unreliable on many machines, as the desire to have them set
everywhere is showing.

> > Reverse/forward DNS matching is nice and _should_ be reasonable for
> > all active machines. Unfortunately it isn't true for all machines
> > where valid mail comes from. If you choose to drop valid mail, that's
> > your decision but none of your arguments really make any sense to me.
> I hope my explanation has helped.


Not really. In a perfect world, yes, that would be wonderful. This
isn't a perfect world (or network) and if it was we wouldn't need to
be blocking things.


I once, accidentally, put a blocking list in the wrong order on one of
my mailservers so the +allow_unknown was after a *. list. I lost
valid mail. Things havn't changed significantly since then.

Grepped from my mail logs on a quiet mailserver, so far today (EST). 4
machines without valid DNS. 2 of them are perfectly valid mail, one
for me one for another user. This is just a quiet personal mail server.

I've got many of the header and syntax checking options on, and I
fight that battle with people enough at least people have control over
the mail software they use and it's configuration, most of the
time. Trying to get valid DNS for every server that sends me mail is a
losing battle right now. The person running the machine can have zero
control over it.

When I was conslutting I was twice in the situation where there was
just no way to get DNS set up correctly. It happens for political
reasons as well as stupid spammers :/ Eventually the brick wall hurts
too much and you stop hitting your head against it.

P.

-- 
pir                  pir@???                    pir@???