Auteur: John W. Baxter Datum: Aan: Exim users list Onderwerp: Re: [exim] deny hosts problem with IPs that don't resolve to hostnames
On 1/3/06 7:02 AM, "Giuliano Gavazzi" <dev+lists@???> wrote:
> but it lets
>> other messages through (eg from 203.154.117.2):
>>
>>>>> host in "!my-gatewayIP : !net-lsearch;/var/log/pop-ips.log"?
>> no (failed to find host name for 203.154.117.2)
>>>>> deny: condition test failed
>>>>> processing "accept"
>>
>> The error is curious because I can find a hostname for that IP ....
>> but regardless how do I stop it allowing by default?
>>
The parenthetical "(failed to find host name for 203.154.117.2)" isn't an
error (that is, doesn't contribute to the processing), it is commentary.
It is true that a name is found for this IP, but Philip wants more than
that--he wants at least one of the names for the IP to have an A record (I'm
ignoring IPv6) with the same IP address. The name in DNS for this IP has no
forward lookup (in IPv4 space):
$host 203-154-117-2.inter.net.th
Host 203-154-117-2.inter.net.th not found: 3(NXDOMAIN)
Therefore, Exim considers that the IP address has no useful name.
You can test for that (see the spec) but be warned that being dogmatic about
it can cut off incoming mail from senders whose mail you may want to accept.
We add "spamishness" for no name (after using our own daemon to try for a
name, any name, with failure being "softer" than in Exim's lookups), but we
also have a list of IPs for which we consider no name to be OK. (The
Washington State government has many instances of improper DNS in its
"fleet" of mail sending machines, and being in Washington we sort have have
to accept mail from them. Teachers dislike not being able to send email
from school to their home mailbox, for instance.)
As to why your test isn't working, try
exim -bh 203.154.117.2
If the output doesn't have enough detail, try
exim -d -bh 203.154.117.2
(And you can also turn on more debugging features, and turn off others which
just produce noise in this particular case...see the Exim documentation.)
Your deny looks right, but I've been around computers for a long time (since
1957, not counting looking over work my mother brought home before that),
and I *still* get into trouble combining negative tests. (I do sometimes
get it right.)