On Tue, 14 Aug 2001, Thomas Fini Hansen wrote:
> So exim looks up the connecting host and compares strings rather than
> looking up the name in the config and compare IPs? Or do a forward
> lookup of the IP gathered from the reverse lookup to make sure they
> match (I'd say that's pretty much required for any DNS based
> 'authentication', but what do I know?).
Sigh. Please RTFM. It is all documented. Here is the relevant extract
from spec.txt, which I found in a few seconds by grepping for "reverse":
-----------------------------------------------------------------------
. If the item is a plain domain name, Exim calls "gethostbyname()" to find
its IP address(es). This typically causes a forward DNS lookup of the
name. The result is compared with the IP address of the subject host.
The remaining items are wildcarded patterns for matching against the host
name. If the host name is not already known, Exim calls "gethostbyaddr()" to
obtain it from the IP address. This typically causes a reverse DNS lookup to
occur.
-----------------------------------------------------------------------
So, if you have
sender_host_reject = a.b.c.d
Exim will do a forward lookup for a.b.c.d and compare IP addresses.
However, if you have
sender_host_reject = *.b.c.d
Exim will do a reverse lookup on the IP address to find the host name,
and then compare that against *.b.c.d.
I did some experiments which showed that the gethostbyaddr() function,
on some OS at least, does a double check that the name it finds by
reverse lookup produces the original IP address when looked up itself.
Exim used to have such a test itself, but I took it out when I learned
that it was included in gethostbyaddr().
--
Philip Hazel University of Cambridge Computing Service,
ph10@??? Cambridge, England. Phone: +44 1223 334714.
