Re: [Exim] double check DNS

Top Page
Delete this message
Reply to this message
Author: Exim Users Mailing List
Date:  
To: Exim Users Mailing List
Subject: Re: [Exim] double check DNS
[ On Tuesday, November 20, 2001 at 11:49:08 (-0500), Dave C. wrote: ]
> Subject: Re: [Exim] double check DNS
>
> That actually _matches_ the forward and reverse lookup of their IP
> address? You must be on a different Internet than I am... Add to those
> NT systems all the Novell junk, all the Mac based MTA's, lots of
> firewalled systems, lots of systems that just 'mail.domain.com', but
> their IP address is somethign entirely different..


Perhaps I just have a different way of counting, though I assure you
that you are most certainly exaggerating, and I have mailer logs from
several different classes of mail systems to back me up on this. I also
know from several years of experience that most people are quite happy
to correct their configurations and very thankful that their error has
(finally) been pointed out to them.

Admittedly there are still too many broken systems for the average ISP
to stick to their guns on validating the greeting name, especially in a
competitive market where the users can demand that any and all junk be
accepted. However many independent mail server operators are generally
able to better assume that someone who wants to send a message to their
domain will do whatever it takes to have their server's configuration
corrected. For my own systems the critical mass of correctly configured
SMTP neighbours was reached long before I even considered enabling
greeting validation.

> Not that I'm complaining, just pointing out that HELO is essentially a
> useless piece of data anymore. The only thing it could possible have
> been used for was the obsolete TURN command.....


On the contrary -- it's the only real indicator of the trail a message
took from source to origin (though in an ideal world this name will
match the name in the "by" clause of the "Received:" header the sending
machine itself added). Not all e-mail travels only one hop. Of course
as such an indicator it's only of any use if it's been validated. Even
for a mail server an IP address may not have the same lifetime of
assignment as an e-mail header's lifetime (literally the assignment is
only valid for the length of the TTL on the record and after that
expires the name MUST be looked up again).

The whole purpose behind having the DNS is to disassociate IP addressing
from organisational naming and as such the IP address is really only a
valid identifier at the time the HELO greeting is presented (plus the
remaining TTL of the record in the DNS) so it must be validated AT THAT
TIME. If the name doesn't match at that time it's impossible to tell
whether it's correct, or even close to correct (even with reverse DNS to
corroberate a partial domain name match!). That same rule of thumb
applies for every service that involves using hostnames for
identification or logging, not just SMTP. If you want to get really
paranoid about naming consistency then you validate the reverse DNS too.

I'm not talking about real security here -- just basic integrity of the
SMTP server configuration and a plain simple audit trail that can be
used reliably, in conjunction with the associated mail server logs of
course, to track down the path a message might have taken after the
fact, even long after the fact.

Getting this stuff right is ever more important in a day and age when
even many of the so called SMTP postmasters can't read between the lines
of the average "Received:" header, let alone any user doing so. The
advice in RFC 1123 5.2.5 para#2 was useless a couple of years after it
was written, never mind now, two decades later, after the public
Internet has really gone big-time commercial.

-- 
                            Greg A. Woods


+1 416 218-0098      VE3TCP      <gwoods@???>     <woods@???>
Planix, Inc. <woods@???>;   Secrets of the Weird <woods@???>