RE: [Exim] Viruses, and HELOs without dots

Page principale
Supprimer ce message
Répondre à ce message
Auteur: Kjetil Torgrim Homme
Date:  
À: Nigel Metheringham
CC: exim-users
Sujet: RE: [Exim] Viruses, and HELOs without dots
On Tue, 2004-08-03 at 09:06 +0100, Nigel Metheringham wrote:
> On Mon, 2004-08-02 at 18:40, Kjetil Torgrim Homme wrote:
> > he's actually just enforcing the requirements of the RFCs, except he has
> > an exception to allow for some common misconfigurations. I don't see
> > how you can say that RFC 2821 has had less thought and design going into
> > it than SPF.
>
> Oh god I thought we were past that form of idiocy by now.
>
> MX hosts have absolutely fuck all to do with which hosts may send mail.


in theory, but not in practice. lots of small sites have only one
server, handling both inbound and outbound.

> For example, look at pretty much *any* of the big ISPs. They have
> multiple clusters of mail machines. One group of machines handles
> incoming mail - they have the MXes pointing at them. A different
> cluster of machines handles outgoing mail, they are not part of the
> MXes, and may often have a completely different machine name than the
> domains they handle.


yes, my own cluster works that way, too, but the DNS and HELO match, so
it complies with even a strict interpretation of the RFCs.

> SPF gives a way to associate sending machines with sender domains by
> using additional data which was not available until SPF codified a way
> of presenting it in the DNS. Pretending you can derive this information
> from the MX hosts for a domain is pure delusion. [This is not to be
> taken as a statement that I think SPF is an unmitigated good thing]


no one has claimed that Benedikt Hochstrasser's rule set has anything to
do with SPF except you. he only checks HELO, he doesn't look at the
domain part of the envelope sender.

to backtrack: first he runs the normal Exim check to see if the HELO
argument matches the connecting IP.

* is the PTR RR for the IP == HELO? -> OK
* is one of the A RR for the HELO == IP? -> OK

this is a pretty loose check, some people will argue _both_ need to be
true to follow the RFC strictly. AFAIK, SPF requires compliant hosts to
do both.

unfortunately, this will still lead to much legitimate e-mail being
blocked. Benedikt suggests to loosen the check even more by adding

* is the A RR for the MX RR for the HELO == IP? -> OK

one real life example which will be accepted by this added check is

IP = 169.229.58.57
HELO = math.berkeley.edu

* PTR for 169.229.58.57 is mail.math.Berkeley.EDU -> MISMATCH
* A RR for math.berkeley.edu is 169.229.58.63 -> MISMATCH

but:

  * MX RR for math.berkeley.edu is mail.math.berkeley.edu.
    A RR for mail.math.berkeley.edu is 169.229.58.63 -> OK!


even with this added check, e-mail from Hotmail will be refused. this
is of course Benedikt's prerogative.

> Before you argue back at this remember I have built and operated a multi
> million user mail system from scratch, and on this subject I know my
> stuff.


fine, but remember Hotmail and AOL are multi-million user systems, too,
and they certainly have no idea how SMTP should be set up to follow
Internet standards. (Brad Knowles, come back!)
--
Kjetil T.