Re: [exim] hosts = *.kolido.net not matched, even the PTR ex…

Top Page
Delete this message
Reply to this message
Author: Heiko Schlittermann
Date:  
To: exim-users
Subject: Re: [exim] hosts = *.kolido.net not matched, even the PTR exists?
Kjetil Torgrim Homme <kjetilho@???> (So 07 Jan 2007 22:52:37 CET):
> On Sun, 2007-01-07 at 22:16 +0100, Heiko Schlittermann wrote:
> > in my ACL there I've a rule
> >
> >     deny    hosts = *.kolido.net

> >
> > But exim accepts connections from 91.184.48.154.
> >
> > If I check the DNS, I find that
> >     91.184.48.154's PTR ms105.nl.kolido.net
> > though
> >     ms105.nl.kolido.net A 193.239.6.105

> >
> > So the PTR does not fit to the A record.
>
> >     >>> processing "deny"
> >     >>> check hosts = *.kolido.net
> >     >>> sender host name required, to match against *.kolido.net
> >     >>> host in "*.kolido.net"? no (failed to find host name for 91.184.48.154)
> >     >>> deny: condition test failed

> >
> > If I understand the spec, (section 10.13), there is nothing mentioned
> > about "double" checking the PTR:
>
> if it didn't double-check, it would be a massive security hole.
> _anyone_ can set up a PTR to point to your domain name. sure, it's not
> a problem for "deny", but many people use this for "accept", too.


Agreed. But I'm missing a note in the specs (10.13). About like this:

    By default, in order to find a host name, Exim first does a reverse DNS lookup;
    if no name is found in the DNS, the system function (gethostbyaddr() or
    getipnodebyaddr() if available) is tried. The order in which these lookups are
    done can be changed by setting the host_lookup_order option.


| If the item from the list contains a wildcard or regular expression,
| the comparison only takes place if the the original IP address is in
| the list of IP addresses for the hostname. This is done for
| security reasons.



- or probably using some real native Languare :)

--
Heiko