Re: [exim] hosts = *.kolido.net not matched, even the PTR ex…

Top Page
Delete this message
Reply to this message
Author: Renaud Allard
Date:  
To: exim-users
Subject: Re: [exim] hosts = *.kolido.net not matched, even the PTR exists?


Kjetil Torgrim Homme wrote:
> On Sun, 2007-01-07 at 22:16 +0100, Heiko Schlittermann wrote:
>> in my ACL there I've a rule
>>
>>     deny    hosts = *.kolido.net

>>
>> But exim accepts connections from 91.184.48.154.
>>
>> If I check the DNS, I find that
>>     91.184.48.154's PTR ms105.nl.kolido.net
>> though
>>     ms105.nl.kolido.net A 193.239.6.105

>>
>> So the PTR does not fit to the A record.
>
>>     >>> processing "deny"
>>     >>> check hosts = *.kolido.net
>>     >>> sender host name required, to match against *.kolido.net
>>     >>> host in "*.kolido.net"? no (failed to find host name for 91.184.48.154)
>>     >>> deny: condition test failed

>>
>> If I understand the spec, (section 10.13), there is nothing mentioned
>> about "double" checking the PTR:
>
> if it didn't double-check, it would be a massive security hole.
> _anyone_ can set up a PTR to point to your domain name. sure, it's not
> a problem for "deny", but many people use this for "accept", too.
>


So, an ACL like

condition = ${if match {${lookup
dnsdb{ptr=$sender_host_address}}{\Nkolido.net$\N}{no}{yes}}

would do the trick, but indeed in an insecure fashion for an accept
statement.