On Jun 3, 2004, at 15:21, Greg A. Woods wrote:
> [ On Thursday, June 3, 2004 at 10:21:32 (-0700), Tor Slettnes wrote: ]
>> Subject: Re: [Exim] Delay 220 greeting to reduce spam?
>>
>> Hmm. If you _require_ a two-way DNS match, you will miss out on a lot
>> of "legitimate" mail (from such places as Amazon, Yahoo, Hotmail,
>> etc..).
>
> On the contrary _I_ don't miss out on anything! ;-)
> I.e. that's a very _good_ thing for my domain! :-)
>
> [...]
> Yes, of course, and my HELO verification succeeded because there is a
> matching A record for the client source address.
>
> But that's not the only test I require every client to pass.
You _could_ always:
deny hosts = *
for ease of configuration...
> What's the point of having reverse DNS if the result can appear as if
> another host is spoofing your hostname? There are algorithmic
> definitions for how this stuff is suppose to work so that such stupid
> confusions don't happen. You can't begin to expect a computer to
> assume
> that a matching subdomain, or some half-correct reverse DNS wasn't
> spoofed, unless you start inventing all kinds of complicated rules that
> nobody will ever agree on anyways.
I point the MX of my personal domain to my home machine, for which I
have no control of rDNS. Short of using someting like
@ IN MX 1 24-4-199-45.client.comcast.net.
in my DNS zone (and a corresponding primary hostname on my end), I am
in flagrant violation of your idea of a cleaner, purer world.
Then again, Shrek didn't think much of Lord Fahrquad's (sp?) idea of
sanity either. My idol.
> For every hostname there must be a matching PTR and vice versa,
> regardless of how many IP addresses a hostname has or how many
> hostnames
> an IP address has. It's simple orthogonality at its purest. If
> anything is missing, or even one name is wrong, it's worse than there
> being no reverse DNS at all in the first place because it is misleading
> at best and indistinguishable from a poisoned cache or other spoofing
> tricks.
Which is why we have SSL CAs.
-tor