Re: [Exim] Relaxing DNS checks

Page principale
Supprimer ce message
Répondre à ce message
Auteur: Exim User's Mailing List
Date:  
À: Exim User's Mailing List
CC: Fred Viles
Sujet: Re: [Exim] Relaxing DNS checks
[ On Sunday, May 9, 2004 at 10:50:28 (-0700), Fred Viles wrote: ]
> Subject: Re: [Exim] Relaxing DNS checks
>
> Which produces *way* too much collateral damage, as there are a
> gazillion legitimate MTAs whose HELO name doesn't match thier rDNS
> name (if one even exists, it's not required).


Just to be clear here:

The HELO name absolutely "MUST" always resolve to an A record giving the
source IP address of the connecting client (or else be a domain literal
IP address using the right syntax and giving that source IP address).

That's a 100% absolute requirement. There are no ifs, ands, or buts
about it, and no valid excuses for hotmail or anyone else to get it
wrong.

In fact that's the only really valid test for the HELO/EHLO greeting
parameter itself. One can go further to require reverse DNS for the
connecting source address, and even to require properly matching reverse
DNS (which implies of course that the reverse DNS will match the
greeting name since the greeting name "MUST" resolve to an address that
the reverse DNS PTR(s) will be derived from). However reverse DNS
checks are secondary requirements and they are not mandated with an
absolute "MUST" in the same way that the primary requirement for a
matching A record is mandated. Any other cockamamie half-baked scheme
for pretending to validate the greeting name without first verifying
that it resolves to the client source address is bogus and misleading.

Note also that any verification and validation you choose to knowingly
implement on your systems can never cause any "collateral damage". To
refuse connections from (unknown foreign) hosts that don't know their
own proper hostname, IFF that's what your local site policy requires, is
your perogative. Nobody can ever force you to accept an SMTP connection
you don't want -- it's your network and your computer. "Collateral
damage" would be something bad you did without expecting to do it, and
without wanting to do it. If you've set a policy that requires all of
your SMTP peers to know their own names then you can expect to reject
connections from a lot of hosts run by ignorant and/or uncaring
postmasters.

Now if your Mother has chosen to use some idiot ISP who can't figure out
how to configure their mailer hostnames and DNS to all match up
(e.g. hotmail :-), then that's not necessarily her fault (unless she did
so knowing your site policies :-) and she might not like you rejecting
her mail for that reason. However there are still two really obvious
choices open in this situation: (1) help her find an ISP with higher
standards of operations; or (2) make an exception for the idiots she has
chosen to pay her good money to.

If your mailer rejects one of your customer's Mother's mail, and your
customer complains, then it may be your fault for not making your site
policies clear to your customer, but it's still not really what anyone
should call "collateral damage".

--
                        Greg A. Woods


+1 416 218-0098                  VE3TCP            RoboHack <woods@???>
Planix, Inc. <woods@???>          Secrets of the Weird <woods@???>