Re: [exim] Exim server behind NAT router (and HELO)

Góra strony
Delete this message
Reply to this message
Autor: Fred Viles
Data:  
Dla: exim-users
Temat: Re: [exim] Exim server behind NAT router (and HELO)
On 16 Mar 2005 at 11:17, Toralf Lund wrote about
    "Re: [exim] Exim server behind NAT r":


| Fred Viles wrote:
| 
| >On 15 Mar 2005 at 22:02, Toralf Lund wrote about
| >    "[exim] Exim server behind NAT route":
| >
| >|...
| >| Is anyone else running Exim in such a setup? What's the best way to get 
| >| a correct HELO?
| >
| >What is your definition of "correct"?  
| >  
| >
| My definition? I don't have one as such. The RFCs mandate that the 
| HELO/EHLO data has a certain format, however.


The RFC's mandate a syntax (either a valid FQDN or an IP literal),
but don't allow the receiving MTA to reject based on the particular
name provided. So you'd be RFC clean with
"EHLO an.arbitrary.name.invalid".

Is that an acceptable answer? Didn't think so... ;)

|...
| >The NAT router isn't the problem, BTW, it's the dynamic IP address.
| >FWIW, any site that insists that the HELO/EHLO name looks up to the
| >connecting IP address is not very concerned about rejecting
| >legitimate email.
| >
| Well, in my experience a large proportion of all spams and virus mails
| have invalid HELO/EHLO names,


Again, for what definition of invalid? Checking the 1541 unique
sending hosts in my sorbs quarantine folder, I see 250 where the HELO
name matches the PTR name. The remaining 1291 are all
*syntactically* valid (I reject on invalid syntax except for '_'),
though I don't doubt that most of the names do not own an A record
that matches the connecting IP.

| and conversely, about 99% of all messages
| with invalid data are spam or viruses.


That's not my experience. A ridiculous number of otherwise
legitimate MTAs don't even have syntactically valid HELO names
(Exchange sites love to use '_' in their host names).

| Of course, I wouldn't want to
| block all messages until that number reaches 100%, but I don't want to
| be the one that prevents it from ever getting there, if you know what I
| mean.


I guess, you want your HELO name to be "valid". But you can't say
what you mean by "valid". ISTM the possible definitions are:

1. syntactically valid. Trivial, any name will do.
2. Owns a correct A record. Also trivial, but requires a DynDNS
service.
3. Owns a correct A record and matches the PTR name. Tricky if your
ISP has set up generic forward and reverse DNS (bluecom.no has),
impossible if they haven't.

| However, I still haven't come across
| anyone that blocks "my" dynamic range. It may have something to do with
| the fact that I'm using a relatively small and unknown ISP...


That's entirely possible, lucky for you. It probably also helps that
your ISP's generic PTR names don't include "dsl" or "dialup" or
"pool".

- Fred