Author: mb Date: To: Andreas J Mueller CC: exim-users Subject: Re: [Exim] callout problem
At 12:08 +0200 Andreas J Mueller wrote:
>> Exim was silly enough to believe youpy's MX record of 127.0.0.2--thank
>> goodness for its rate-limiting, otherwise it would have surely exploded!
>
>That's strange. Whenever I happended to come upon an MX like that
>one, sender verify failed _before_ the callout with an error message
>("All MX records point to invalid hostnames or (invalidly) to IP
>addresses").
Yes.. after some digging around I discovered that djbdns "helpfully" makes
A records for "names" which look like IP addresses (like "127.0.0.2."), so
Exim wasn't really being that silly :)
>Even then, Exim should complain, because the dnslookup router has
>ignore_target_hosts set to 0.0.0.0:127.0.0.0/8 (by default). No
>callout will be done, as the domain is unrouteable.
Yes.. my config is not even a little bit default ;) I've restored that
option, though others have pointed out that multicast/private networks can
also be added to ignore_target_hosts etc.
>But what's the worst that could happen? Exim would make a callout to
>itself, through the localhost interface. Then it would either accept
>the destination address (because localhost is allowed to relay) or
>reject it. Unless you have been messing with the "MAIL FROM:<>" to
>contain any other sender address, which could create a loop.
Yes--it called itself very rapidly..
>> I don't know what the right thing to do here is.. ..is it worth hacking
>> do_callout in verify.c to check it's actually going to connect to a
>> sensible IP address?
>
>No need to do this, Exim already has all the required functions to
>prevent this from happening. You just have to configure it correctly.