There's another gotcha with reverse DNS lookups:
Say I have my firewall which also has exim on board and port-forwards
http[s]
requests to one of the W2K dummies in the DMZ. Now I have setup DNS like
"
www.me.org IN A 123.1.2.3" and "mail.me.org CNAME
www.me.org."
Now we do a reverse lookup and come back with "3.2.1.123 IN PTR
www.me.org." which is definitely *not* "mail.me.org" -> sayonara, spammer.
A legitimate alternative would be to see if the sending hosts' IP matches
what we get when we do an MX lookup on the sender's domain. We see
"mail.me.org [123.1.2.3]" and we see "me.org MX
www.me.org" and then
"
www.me.org IN A 123.1.2.3" -> okay, 123.1.2.3 *is* a valid MX for me.org.
This relieves people from having to implement reverse IP mappings but
forces them to 'register' their [sending] MTAs with their DNS. This would
also allow DynDNS wizardry. And those on a dialup line can [normally]
always use their ISP's MTA for relaying (and cross their fingers they did
their job right).
Does exim employ this verify_sender_via_MX_lookup thingie?
--Ben (user bhoc at domain pentagroup in country ch)
