Re: [Exim] Trying to compare HELO data with actual host info…

Top Page
Delete this message
Reply to this message
Author: Marc MERLIN
Date:  
To: Greg A. Woods
CC: Exim List
Subject: Re: [Exim] Trying to compare HELO data with actual host info in a filter...
On Wed, Sep 19, 2001 at 05:27:52PM -0400, Greg A. Woods wrote:
> [ On Wednesday, September 19, 2001 at 12:54:26 (-0700), Marc MERLIN wrote: ]
> > Subject: Re: [Exim] Trying to compare HELO data with actual host info in a filter...
> >
> > On Mon, Sep 17, 2001 at 04:40:06PM +0100, Alan Thew wrote:
> > > The following type of thing happens all the time
> > >
> > > Received: from 209-187-167-231.hsacorp.net ([209.187.167.231]
> > >     helo=hotmail.com)

> > >
> > > I would like to compare the actual rDNS data with the HELO info in the
> > > specific case of hotmail.
> >
> > I don't recommend you do this though.
> > Of course, Greg Woods wrote long mails to explain why it's good,
>
> Ah, no, that's what I wrote about at all. I said almost NOTHING about rDNS!
>
> Get your facts straight Marc!
>
> (And fix your broken DNS too!!!!)


My DNS works fine, thank you.

> > Greg's setup reject my mails because EHLO says magic.hdqt.valinux.com but
> > the connection comes from nat-hdqt.valinux.com.
>
> Yes. You are clearly violating paragraph one of RFC 1123 section 5.2.5.
>
> Regardless of what paragraph two says I'm holding you to the rule in
> paragraph one.


Let's see:
"The sender-SMTP MUST ensure that the <domain> parameter in a HELO command is
a valid principal host domain name for the client host. As a result, the
receiver-SMTP will not have to perform MX resolution on this name in order
to validate the HELO parameter."

magic.hdqt.valinux.com is "a valid principal host domain name for the
client host".
It doesn't say anything about it having to be resolvable by you. For that
matter, it says that you are not supposed to perform a lookup on it.

I'm sure you'll argue this anyway, but you were the first one to say that
RFCs aren't always the absolute gospel. I suppose than when in doubt, you
are, right?

> Oddly your site is one of very very few that have trouble sending me e-mail.


That's fine.
You are the only person that is rejecting my mail.
you very few > my "you are the only one"
Either way, numbers aren't relevant.

> Most people manage to configure their mailers and DNS properly and
> everything works fine.


Both are configured quite fine, thanks for enquiring. I explained the setup
here as a valid example of why the domain in EHLO doesn't have to be the IP
you see a connection from (NAT), and you conveniently ignore it.

> > In other words, filtering on EHLO/HELO is typically bad news, you'll break
> > some perfectly valid setups.
>
> It only breaks broken setups. Your setup is not valid. You are clearly
> violating the RFCs and hindering clear communications. It wouldn't be


If you say so, it must be true then.

> BTW your DNS setup is still broken too. Simple queries with a tool like
> 'host' point these out with glaring clarity. For example.
>
> $ host -A mail.sourceforge.net
> !!! mail.sourceforge.net address 216.136.171.198 maps to usw-sf-lists.sourceforge.net
>
> $ host -A externalmx.VALINUX.COM
> !!! externalmx.VALINUX.COM address 198.186.202.147 maps to panoramix.valinux.com


Yeah, so? Are you going to show me an RFC that says that rDNS has to
magically map back to all possible domains MXed to a box?
Or maybe is it forbidden to have multiple As pointing to the same IP now?
rDNS and fDNS match, that's all you should care about.
Either way, this is not appropriate for discussion here, you can send your
complaints to the postmasters of the respective domains, and your Emails
will continue to be ignored as long as you keep bouncing answers.
Using the exim mailing list to get support because you can't receive mail is
not an appropriate use of the list.

> You still have a lot to learn about what "correct headers" means, and
> the difference between headers and the SMTP envelope.....


You're so funny.
http://marc.merlins.org/netrants/autoresponders.txt

> Your mailer is now so completely broken that I can't send e-mail at all
> to your postmaster address, or to many of the lists hosted at
> sourceforge. I've been trying to e-mail you about bounces I'm getting.


You're welcome to get sourceforge support through the proper channels
(support request on the SF web site).

>     Delay reason: SMTP error from remote mailer after end of data:
>     host mail.sourceforge.net [216.136.171.198]: 451-Envelope sender verification failed
>     451 rejected: can't currently verify any sender in the header lines (envelope sender is <woods@???>). Are you sure your domain in From:
>     and/or Reply-To: resolves from the internet (host -t MX domain) and can be connected back to for delivery of replies? - Failure is temporary, you can try again later

>
>
> Clearly your own nameserver can in fact find records for my sender
> address domain:


I can't make the error message more clear:
"Are you sure your domain in From: and/or Reply-To: resolves from the
internet (host -t MX domain) and can be connected back to for delivery of
replies"

1) the error message clearly refers to header from (weird.com, not
proven.weird.com). Funny that you were telling me that I don't know the
difference between the two

2) "and can be connected back to for delivery of replies"

220-most.weird.com Smail-3.2.0.115-Pre (#1 2001-Aug-6)
220-ready at Wed, 19 Sep 2001 17:57:04 -0400 (EDT)
220 ESMTP supported
ehlo usw-sf-list1.sourceforge.net
501-EHLO requires a valid host name as operand: 'usw-sf-list1.sourceforge.net'
501-connection rejected from usw-sf-fw2.sourceforge.net remote address [216.136.171.252].
501-Reason given was:
501- no DNS A records for the hostname 'usw-sf-list1.sourceforge.net' have a
501 target address matching the source address [216.136.171.252]

I'm afraid that in addition to rejecting mail sent to you, you are
preventing your own mail from being accepted by sourceforge since you are
preventing SMTP callback.

Thank for you demonstrating my original point, which was that doing
verifications on the domain given in HELO was stupid.

Have a nice day
Marc

PS: Further  attempts  at getting  sourceforge  support  on this  list  will
obviously be ignored
-- 
Microsoft is to operating systems & security ....
                                      .... what McDonalds is to gourmet cooking


Home page: http://marc.merlins.org/ | Finger marc_f@??? for PGP key