Re: [Exim] sender verify vs. broken mailer configs, again.

Top Page
Delete this message
Reply to this message
Author: Andrew - Supernews
Date:  
To: exim-users
Subject: Re: [Exim] sender verify vs. broken mailer configs, again.
>>>>> "Andrew" == "Andrew - Supernews" <andrew@???> writes:

Andrew> Verifying based on the reverse lookup is insane
Andrew> anyway. Forward lookups are vastly more reliable, and in this
Andrew> case require only one query rather than at least two
Andrew> (i.e. you should forward-lookup the HELO name and verify that
Andrew> it has an A record matching the connecting IP, rather than do
Andrew> a PTR lookup on the IP _AND_ then do forward lookups on all
Andrew> the returned names looking for a hostname match).

It's perhaps worth noting that a) exim 4.20's algorithm for HELO
verification is not the same as that used by Mr. Woods and b) that if
exim's handling of PTR was fixed as I described in another post, then
its HELO verification would logically reduce to the simple forward
lookup described above, perhaps allowing the code to be simplified.

(at present it does the reverse lookup and checks for a match, then
tries the forward lookup from the HELO name. If PTRs were properly
validated, then this amounts to:
  valid iff ( (some PTR value == HELO value)
              AND (lookup(that PTR value) matches connecting IP) ) OR
            (lookup(HELO value) matches connecting IP)
which is clearly the same as
  valid iff ( (some PTR value == HELO value)
              AND (lookup(HELO value) matches connecting IP) ) OR
            (lookup(HELO value) matches connecting IP)
which by simple boolean logic ((A & B)|B) == B gives
  valid iff (lookup(HELO value) matches connecting IP)
QED.)


--
Andrew, Supernews