Re: [exim] Exim server behind NAT router (and HELO)

Top Page
Delete this message
Reply to this message
Author: Brian Candler
Date:  
To: Greg A. Woods
CC: Exim User's Mailing List, Richard Clayton
Subject: Re: [exim] Exim server behind NAT router (and HELO)
On Wed, Mar 23, 2005 at 04:22:56PM -0500, Greg A. Woods wrote:
> Well once again it's all about trust, isn't it.
>
> In the DNS the meager trust available comes from comparing the results
> of lookups within two separate zones of authority. In this case the
> names clearly do no match so no trust can be granted and the hostname
> must not be assumed to be valid. Any number of many possible attacks
> could have delivered this apparently bogus information to my nameserver.
>
> $ host -v -A mail.highwayman.com
> Query about mail.highwayman.com for record types A
> Found 1 address for host mail.highwayman.com
> Hostname mail.highwayman.com maps to address 80.177.121.10
> Checking mail.highwayman.com address 80.177.121.10
> *** mail.highwayman.com address 80.177.121.10 maps to hostname happyday.demon.co.uk
> *** Hostname mail.highwayman.com does not belong to address 80.177.121.10
> *** Not all addresses for hostname mail.highwayman.com have a matching hostname.


I'm afraid you've got that check back to front.

It's perfectly acceptable (and indeed very common) for multiple names to map
to the same IP address, and for the reverse DNS to have a PTR to only one of
those names.

                        fwd DNS
   mail.highwayman.com  ------->
   happyday.demon.co.uk -------> 80.177.121.10
   happyday.demon.co.uk <-------
                         rev DNS


You cannot tell that mail.highwayman.com is spoofed from that. Richard could
be running a website http://mail.highwayman.com/ on his machine, for
example.

However it *would* be spoofing if, for example, in your reverse zone you
mapped 204.92.254.2 to happyday.demon.co.uk. Then, someone doing a forward
lookup on happyday.demon.co.uk would find 80.177.121.10, and therefore know
that the PTR record for 204.92.254.2 was forged.

That is: IP->name->IP must match; name->IP->name need not.

Now, AFAIK exim does the IP->name->IP check already. That is, if it receives
a connection from x.x.x.x, and you have configured exim to do reverse DNS
lookups to resolve that to a hostname, it will do a reverse lookup to find
the name associated with that address, but then also do a forward lookup on
the name to see if it resolves to the same IP address x.x.x.x (or if
multiple A records are returned, one of them is x.x.x.x). And if that fails,
the reverse DNS lookup name is discarded.

You can check for this condition and reject the connection based on it,
should you wish to do so - as a personal policy choice. It's not going to
benefit you, unless you believe that spammers have more reverse DNS
configuration errors than non-spammers (which I don't believe), or you just
don't like talking to people.

Brian.