Re: [exim] Exim server behind NAT router (and HELO)

Top Page
This message is part of the following thread:
Mthe complete thread tree sorted by date
M-++\Exim User's Mailing List at <-
M\MMM\Exim User's Mailing List at ->
Delete this message
Reply to this message
Author: Exim User's Mailing List
Date:  
To: Brian Candler
CC: Exim User's Mailing List
Subject: Re: [exim] Exim server behind NAT router (and HELO)
[ On Wednesday, March 23, 2005 at 14:14:10 (+0000), Brian Candler wrote: ]
> Subject: Re: [exim] Exim server behind NAT router (and HELO)
>
> On Wed, Mar 23, 2005 at 11:44:54AM +0000, Matt Fretwell wrote:
> > Brian Candler wrote:
> >
> > > Of course, even if it sends an IP address literal, it will be wrong if
> > > it's behind a NAT firewall.
> >
> > Not it if announces the IP of the NAT unit. That is the IP it is seen as
> > connecting from, so why not announce with that address.
>
> Because there's no way, in general, for it to learn that information.

Excuse me?!?!?

If the administrator of the site in question doesn't know what the
public IP address of their NAT is then that person has the wrong job.

They should probably be demoted to fetching coffee, or even cleaning
washrooms, ASAP!

> And anyway, the client may be connecting to
> some servers on the local side of the NAT box and some on the far side.

Once again you're making a mountain out of a tiny grain of sand.

This is a _VERY_ trivial and simple issue to deal with, especially on
the private network side where everything is under full and total
control of the private network operator.

> For me, the point is that the EHLO name is a *debugging tool*.

Ah, BZZZT, WRONG. Oh so wrong. Completely wrong. Try again.

> If the EHLO name is *forced* to have some correspondence to the DNS name of
> the sending machine, then it loses its value entirely:

No, that _is_ its value, entirely.

> in that case it
> should have been omitted from the protocol altogether.

You've not been paying attention very well. I've already explained, in
detail, the precise reasons why the greeting command is a most vital
part of the protocol.

> Checking the EHLO name against DNS has no value as an anti-spam measure
> either.

Indeed it's not about spam -- it's about trust, about how much one
trusts the domain names used in the message, how much one trusts the
addresses they point to, etc. Please try to look at the whole picture. 

-- 
                        Greg A. Woods


H:+1 416 218-0098  W:+1 416 489-5852 x122  VE3TCP  RoboHack <woods@???>
Planix, Inc. <woods@???>          Secrets of the Weird <woods@???>



This message was posted to the following mailing lists:
Exim-users
Mailing List Info | Nearby Messages		<-Re: [exim] Heads up?Re: [exim] Heads up?->
Tahini and Hummus and Cumin Development Archives administrated by cumin AdminsLurker (version 2.3)