Re: [Exim] sender verify vs. broken mailer configs, again.

Top Page
Delete this message
Reply to this message
Author: Andrew - Supernews
Date:  
To: exim-users
New-Topics: Re: [Exim] how to configure HELO/EHLO and DNS for multi-homed hosts
Subject: Re: [Exim] sender verify vs. broken mailer configs, again.
>>>>> "Greg" == Greg A Woods <woods@???> writes:

Greg> What's even funnier is that someone with known bad reverse DNS
Greg> would dare to run active sender address verifications.


I guess you'd reject this message if I sent it directly rather than
via the list. (well, actually I don't guess, I know)

trinity.supernews.net (which HELOs as trinity.supernews.net, because
that is its principal hostname) is on two networks for the purposes of
redundancy; it has two IPs, 216.168.1.22 and 216.168.2.22. Which one
gets used for an outgoing connection depends on whether the network
happens to be broken at the time and if so, in what way. (generally
it's 216.168.1.22 that gets used.)

Now, the rDNS for those two IPs is different so that they can be
distinguished where necessary (it is quite normal practice to
distinguish the rDNS names for multiple interfaces on a host):

216.168.1.22 is trinity.ranger.supernews.net
216.168.2.22 is trinity.delta.supernews.net

(trinity.supernews.net forward-resolves to both IPs, and both the
above names forward-resolve to the single IP that each corresponds
to).

Now, if you're going to require that the _reverse_ lookup on the
connecting IP match the HELO, then you're pretty much guaranteed to
reject mail not only from my (100% RFC-compliant) setup but also
any other similar setup. This is just one of the reasons why the
standards say that you MUST NOT reject mail just because you don't
like the HELO.

Verifying based on the reverse lookup is insane anyway. Forward
lookups are vastly more reliable, and in this case require only one
query rather than at least two (i.e. you should forward-lookup the
HELO name and verify that it has an A record matching the connecting
IP, rather than do a PTR lookup on the IP _AND_ then do forward
lookups on all the returned names looking for a hostname match).

Greg> Active sender address verifcation by SMTP is evil -- it does
Greg> nothing that cannot be done just as well by far less
Greg> error-prone means.


one of the significant advantages of active verification (which,
however, we don't use) is that it prevents you from receiving mail
from systems which are sufficiently blatantly misconfigured as to make
it impossible to reply.

--
Andrew, Supernews