Author: John W. Baxter Date: To: exim-users Subject: Re: [exim] problems with host authentication (no IP address found
for host ...)
On 2/25/06 7:19 AM, "Richard Clayton" <richard@???> wrote:
>> IIRC, exim only accepts the name from rDNS if the DNS of that name matches
>> the IP.
>
> that's precisely what the original poster was complaining about :(
>
> I was explaining the reasoning behind the change since exim3 ... and why
> one would not wish to try and "fix it"
It was by deliberate design, and it is unlikely to be "fixed" in an official
Exim (speaking as one who will likely never define "official Exim" either
before or after Philip retires).
Without the check, someone who has control of the reverse lookup for w.x.y.z
for any z can return any name he pleases, without the owner of the domain
having any direct control. So reverse DNS without confirmation from what
the domain owner DOES control is virtually meaningless.
Here, we have elected to relax the requirement for the purpose of flagging
"suspicious servers," accepting any result from reverse lookup as less
suspicious than no result. We do that with a Python daemon which follows
the rules we want to follow in the case of lookup failures, since Exim
doesn't.
Plus we still need a whitelist, which we keep in a small flat file called
no_name_ok.txt, since there are real servers with sadly messed up name
service (including many Washington state school districts, whose DNS is
operated--not well--by the state).
But Philip's rule is correct for producing a name which is somewhat
trustable as meaning something. (Except for some problems being fixed with
respect to how some servers return IPv6 results: even there, the rule is
correct; the result ran afoul of some faulty servers.)
