Kjetil Torgrim Homme wrote:
> On Sun, 2007-01-07 at 22:16 +0100, Heiko Schlittermann wrote:
>> in my ACL there I've a rule
>>
>> deny hosts = *.kolido.net
>>
>> But exim accepts connections from 91.184.48.154.
>>
>> If I check the DNS, I find that
>> 91.184.48.154's PTR ms105.nl.kolido.net
>> though
>> ms105.nl.kolido.net A 193.239.6.105
>>
>> So the PTR does not fit to the A record.
>
>> >>> processing "deny"
>> >>> check hosts = *.kolido.net
>> >>> sender host name required, to match against *.kolido.net
>> >>> host in "*.kolido.net"? no (failed to find host name for 91.184.48.154)
>> >>> deny: condition test failed
>>
>> If I understand the spec, (section 10.13), there is nothing mentioned
>> about "double" checking the PTR:
>
> if it didn't double-check, it would be a massive security hole.
> _anyone_ can set up a PTR to point to your domain name. sure, it's not
> a problem for "deny", but many people use this for "accept", too.
>
So, an ACL like
condition = ${if match {${lookup
dnsdb{ptr=$sender_host_address}}{\Nkolido.net$\N}{no}{yes}}
would do the trick, but indeed in an insecure fashion for an accept
statement.
