Re: [Exim] double check DNS

Top Page
Delete this message
Reply to this message
Author: Matthew Byng-Maddick
Date:  
To: exim-users
Subject: Re: [Exim] double check DNS
[after getting many copies of this, I've trimmed the recipients back to the
list only]
On Mon, Nov 19, 2001 at 04:26:28PM -0800, Marc MERLIN wrote:
> On Mon, Nov 19, 2001 at 03:22:02PM -0500, Dave C. wrote:
> > MANY, MANY legitimate hosts on the internet are not configured to give a
> > HELO string that matches any hostname that corrosponds to any IP
> > address..
> Any mail server behind a nat firewall for one
> (outbound mail gets masqueraded, inbound mail comes on 25, which is
> forwarded to the internal machine)


Fine, and those should be going to a smarthost, which can check. If they
connect directly to me, then I'm not sure I want to talk to them.

> All my linux users sending mail from their laptop on whatever intranet they
> happen to be sitting on (the hostname in HELO can be valid, but obviously
> it's going to be different from the reverse name linked to the firewall's
> outbound IP)


And I want to recieve mail from people who won't consider a smarthost which
can actually deliver the mail because?

> > The best thing to do about bogus HELO strings is to make sure that your
> > Received headers always indicate the real IP address of the remote
> > connection, and clearly distinguish between a hostname derived from
> > reverse lookup (if any), and the string given as an argument to HELO.
> Yep.


I agree too.

> I care about what IP the mail came from, I care that the header and envelope
> sender are correct (so that I can bounce back as needed).


Yes. Indeed.

> As far as HELO is concerned, it's actually useful if it has some
> "hostfoo.intranet.company.tld" value, because even if I can't look it up, I
> can contact the company.tld postmaster and tell them that hostfoo is busted.


No. It should be *EXTERNALLY* resolvable, i.e. I can look up the name and get
an answer back which verifies that this is in fact this machine. Your laptop
users should be using a smarthost, and it is only the smarthost that will
ever show me its HELO line.

> Without this unresolvable hostname, all I'd have is nat.company.tld in the


Then that's your business to put in your received lines. I don't want to
accept mail from some NAT gateway.

> received lines, which doesn't help the postmaster over there to track down
> the real sender.


Indeed. Wheras it being behind some nat gateway allows the real sender to
hide their identity and spam. Fantastic!

MBM

-- 
Matthew Byng-Maddick         <mbm@???>           http://colondot.net/