Re: Now well off-topic - was Re: [Exim] how to configure HEL…

Página Principal
Apagar esta mensagem
Responder a esta mensagem
Autor: James P. Roberts
Data:  
Para: exim-users
Assunto: Re: Now well off-topic - was Re: [Exim] how to configure HELO/EHLO and DNS for multi-homed hosts
> > > > OK, now you've lost me, Greg. I suspect there is something in
> > > > what you said here that might explain the root of the disagreement.
> > > > I just don't know what it is, yet.
> > >
> > > The reason the Reverse DNS can sometimes be used as a quite reliable way
> >
> > "sometimes" and "quite reliable" constitute an oxymoron. ;)
>
> The only problem lies in the fact that there's no obvious or defined way
> to know when it's safe to use the Reverse DNS to authenticate hostname
> addresses. It's not a small problem, to be sure, but it's also usually
> safe to ignore because other clues will usually give evidence as to when
> these details need to be examined more closely by a sufficiently
> experienced and responsible human.


So, have you got enough clues yet to consider white-listing me? ;)

>
> > I don't disagree with you about the security aspects; however, I do

continue
> > to disagree with your belief that I have any "control" over my reverse DNS
> > (direct or indirect). I do not, and it is my ISP's fault, and I do not

have
> > sufficient leverage over them to make them change, nor do I have any
> > feasible alternative ISP available. THAT's the point you seem to be
> > missing. Sadly, I am obviously not alone in this condition. It is an
> > object lesson in the evils of monopolies.
>
> I'm not missing anything. You are! :-) You are missing some sufficient
> control over your Reverse DNS.


Yes, that is exactly what I lack. Sigh. ;)

> The fact that folks like you are willing
> to settle for this situation is what makes the monoply possible and
> allows them to dictate the terms of your service to you. If you were to
> co-operate with enough of your fellow customers then there's any manner
> of possible fixes to this problem, including but not limited to the
> possiblity of getting your own ARIN allocation and thus your own
> IN-ADDR.ARPA delegation.


Is it possible to get an IP block from ARIN, and use it instead of the block
assigned by my ISP, and expect my ISP to actually send the traffic to my
router? Any pointers on this one would be MOST welcome, since it would make
my IP block independent of my ISP! Is this possible? Is it costly? How do I
do it? I suppose in much the same way as I handle my internal 192.168.x.x
network, except without the NAT? Can I do it right at the SDSL router, or do
I need the concurrence of the ISP to do that? (That is, can I completely
replace the IP block I currently use, or would I need to create an additional
gateway on my side of the router?)

This is the kind of freedom I provide to my own customers, who don't want to
change email addresses everytime they change ISP. The thought of achieving
the next level of freedom, at the IP level, is very exciting! I just never
even thought of the idea before! "D'oh!" (slaps forehead).

>
> I certainly don't envy your position, but equally I can't condone it
> either. People create the situations they must live with.


I disagree with that statement. For example, spend a week in a hospital room
with a Multiple Sclerosis victim, like I once did, and see if you still hold
that opinion. I could go on and on and on with such examples. No, people do
not "create the situations they must live with." Sometimes, yes, but
generally not. 99% of the time, we are just playing the cards we've been
dealt.

(I'd say we are much more capable of creating situations that OTHER people
must live with! And therein lies much of the world's woes. But I wax
philosophical...)

Blaming victims is bad. But encouraging victims to stand up for their rights,
as I now perceive you are at least trying to do, is a good thing. I apologize
for my earlier mis-perception. (I suspect I was not alone in that
mis-perception, though.)

>
> BTW, a quick search of the /24 your mailer lives in reveals that your
> ISP is capable of, and does manage to, delegate PTRs to at least one of
> their customers:
>
> 176.159.105.64.in-addr.arpa     CNAME   h-64-105-159-176.graves.com
> 177.159.105.64.in-addr.arpa     CNAME   h-64-105-159-177.graves.com
> 178.159.105.64.in-addr.arpa     CNAME   h-64-105-159-178.graves.com
> 179.159.105.64.in-addr.arpa     CNAME   h-64-105-159-179.graves.com
> 180.159.105.64.in-addr.arpa     CNAME   h-64-105-159-180.graves.com
> 181.159.105.64.in-addr.arpa     CNAME   h-64-105-159-181.graves.com
> 182.159.105.64.in-addr.arpa     CNAME   h-64-105-159-182.graves.com
> 183.159.105.64.in-addr.arpa     CNAME   h-64-105-159-183.graves.com

>
>
> Perhaps you just haven't talked to the right people yet, or pushed the
> right buttons yet. Perhaps the person responsible for graves.com can
> give you some pointers and help you out.
>


Now that may be helpful. Thank you.

Regards,
Jim Roberts
Punster Productions, Inc.

p.s. - Please understand, Greg, that I basically agree with you that I should
have proper reverse DNS for my servers. I hope that is obvious by now. I
have made considerable effort to re-achieve it, but so far without success.

I hope you do not take offense when I slip in the occasional dig (e.g.
"oxymoron"), to keep you on your toes. :) You should see the things I do
with my kids to encourage careful choice of words... heh-heh-heh.