Re: [exim] Exim server behind NAT router (and HELO)

Góra strony
Delete this message
Reply to this message
Autor: Exim User's Mailing List
Data:  
Dla: Brian Candler
CC: Exim User's Mailing List
Temat: Re: [exim] Exim server behind NAT router (and HELO)
[ On Wednesday, March 23, 2005 at 14:14:10 (+0000), Brian Candler wrote: ]
> Subject: Re: [exim] Exim server behind NAT router (and HELO)
>
> On Wed, Mar 23, 2005 at 11:44:54AM +0000, Matt Fretwell wrote:
> > Brian Candler wrote:
> >
> > > Of course, even if it sends an IP address literal, it will be wrong if
> > > it's behind a NAT firewall.
> >
> > Not it if announces the IP of the NAT unit. That is the IP it is seen as
> > connecting from, so why not announce with that address.
>
> Because there's no way, in general, for it to learn that information.


Excuse me?!?!?

If the administrator of the site in question doesn't know what the
public IP address of their NAT is then that person has the wrong job.

They should probably be demoted to fetching coffee, or even cleaning
washrooms, ASAP!

> And anyway, the client may be connecting to
> some servers on the local side of the NAT box and some on the far side.


Once again you're making a mountain out of a tiny grain of sand.

This is a _VERY_ trivial and simple issue to deal with, especially on
the private network side where everything is under full and total
control of the private network operator.

> For me, the point is that the EHLO name is a *debugging tool*.


Ah, BZZZT, WRONG. Oh so wrong. Completely wrong. Try again.

> If the EHLO name is *forced* to have some correspondence to the DNS name of
> the sending machine, then it loses its value entirely:


No, that _is_ its value, entirely.

> in that case it
> should have been omitted from the protocol altogether.


You've not been paying attention very well. I've already explained, in
detail, the precise reasons why the greeting command is a most vital
part of the protocol.

> Checking the EHLO name against DNS has no value as an anti-spam measure
> either.


Indeed it's not about spam -- it's about trust, about how much one
trusts the domain names used in the message, how much one trusts the
addresses they point to, etc. Please try to look at the whole picture.

-- 
                        Greg A. Woods


H:+1 416 218-0098  W:+1 416 489-5852 x122  VE3TCP  RoboHack <woods@???>
Planix, Inc. <woods@???>          Secrets of the Weird <woods@???>