Author: James P. Roberts Date: To: exim-users Subject: Re: Now well off-topic - was Re: [Exim] how to configure HELO/EHLO and DNS for multi-homed hosts
> > OK, now you've lost me, Greg. I suspect there is something in > > what you said here that might explain the root of the disagreement.
> > I just don't know what it is, yet.
>
> The reason the Reverse DNS can sometimes be used as a quite reliable way
"sometimes" and "quite reliable" constitute an oxymoron. ;)
> to authenticate hostnames as having correct addresses is that the
> records retrieved from the Reverse DNS come from separate nameservers
> and from zones under separate authorities. This can raise the bar
> against potential attackers by several levels.
> <snip security lesson> >
> The long answer is that you can and you do so by way of your service
> contract with your ISP. Having NS records pointing at your own
> nameserver isn't even remotely the only way to have "control" over your
> own Reverse DNS! As you can hopefully now see "direct" control isn't
> even necessarily desirable.
>
I don't disagree with you about the security aspects; however, I do continue
to disagree with your belief that I have any "control" over my reverse DNS
(direct or indirect). I do not, and it is my ISP's fault, and I do not have
sufficient leverage over them to make them change, nor do I have any feasible
alternative ISP available. THAT's the point you seem to be missing. Sadly, I
am obviously not alone in this condition. It is an object lesson in the evils
of monopolies.
Honestly, sir, I would setup my DNS as you suggest, if I could. But I cannot.
The bottom line is, although I am paying for a "business class" connection,
and I have been assigned a static IP block, I have NOT been properly delegated
authority for that block, and thus it is not possible, without the (obviously
non-existent) cooperation of my ISP, to do things in the manner you advocate.
How do we deal with this? Can we? I am open to suggestions. I'm afraid it
is no longer a technical issue, but a human issue. Solving it would be
helpful to many people. But please, don't think I have any control over my
ISP; I do not.
The only way I can see to even approximate a setup that would "get past the
Woods," so to speak, would be to use the weird hostname, created by my ISP for
the one and only PTR record for my static IP address, in my EHLO. But if I do
that, I will promptly be blocked by all the people that reject HELO/EHLO from
hosts that have a bunch of dotted numbers in their name (never mind that the
forward and reverse DNS entries for it are perfect). I have to choose between
two evils. I am trying to choose the lesser evil, in the sense of being able
to inter-operate with the largest subset of the internet that I can.
Since you are the only server I know that blocks me, I hereby respectfully
request to be white-listed, so that we can continue this discussion (and
future discussions) offline, if you wish. I fully respect your right to
decline my request, of course.
