Re: [exim] problems with host authentication (no IP address …

Top Page
Delete this message
Reply to this message
Author: Richard Clayton
Date:  
To: exim-users
Subject: Re: [exim] problems with host authentication (no IP address found forhost ...)
In message <C225AB32CFB47940B20D6D32955D9FFC03E37996@???
.systemhost.net>, martin.dm.hull@??? writes

>Previously, exim3 took the IP address of sending host, did a reverse
>lookup to get a host name and looked for a match in a file. If the
>customer domain was example.com, there would be 2 lines in the file for
>example.com and *.example.com. This worked well.


ITYM, no-one attacked this scheme, so you were happy with it. Now you've
published the details you may not be happy for much longer :(

If I own 128.232.15/24 then I can ensure that the reverse DNS for
128.232.15.208 is "richard.example.com" without ever discussing this
with the good folks at Example Inc

You will then authorise 128.232.15.208 to send email through your
systems under the false belief that Example Inc is responsible :( This
will do nothing for your reputation and connectivity :(

>Not so in exim4! Some of our customers have dodgy DNS. So after getting
>the host name, instead of looking for a match in the file, exim4 instead
>goes and does a forward lookup on the host name and comes back with
>NXDOMAIN. Exim4 reports that it couldn't find the hostname.


I don't see how it can ever be possible for anyone (let alone a simple
computer program) to distinguish between "dodgy DNS" operated by the
good guys and "wicked DNS" operated by the bad guys.

>Now I know it would be great if our customers had their DNS correct but
>that will take a long time to get them sorted, so how do I make it work
>like exim3?


You shouldn't -- you should be looking to authorise static IP address
ranges; validly configured DNS (though DNS isn't as secure as people
think, so this isn't entirely wise); and using authentication for the
rest :(

You'll find that not being able to send email is quite a strong driver
for getting things fixed!

- -- 
richard                                                   Richard Clayton


Those who would give up essential Liberty, to purchase a little temporary
Safety, deserve neither Liberty nor Safety. Benjamin Franklin 11 Nov 1755