Kjetil Torgrim Homme <kjetilho@???> (So 07 Jan 2007 22:52:37 CET):
> On Sun, 2007-01-07 at 22:16 +0100, Heiko Schlittermann wrote:
> > in my ACL there I've a rule
> >
> > deny hosts = *.kolido.net
> >
> > But exim accepts connections from 91.184.48.154.
> >
> > If I check the DNS, I find that
> > 91.184.48.154's PTR ms105.nl.kolido.net
> > though
> > ms105.nl.kolido.net A 193.239.6.105
> >
> > So the PTR does not fit to the A record.
>
> > >>> processing "deny"
> > >>> check hosts = *.kolido.net
> > >>> sender host name required, to match against *.kolido.net
> > >>> host in "*.kolido.net"? no (failed to find host name for 91.184.48.154)
> > >>> deny: condition test failed
> >
> > If I understand the spec, (section 10.13), there is nothing mentioned
> > about "double" checking the PTR:
>
> if it didn't double-check, it would be a massive security hole.
> _anyone_ can set up a PTR to point to your domain name. sure, it's not
> a problem for "deny", but many people use this for "accept", too.
Agreed. But I'm missing a note in the specs (10.13). About like this:
By default, in order to find a host name, Exim first does a reverse DNS lookup;
if no name is found in the DNS, the system function (gethostbyaddr() or
getipnodebyaddr() if available) is tried. The order in which these lookups are
done can be changed by setting the host_lookup_order option.
| If the item from the list contains a wildcard or regular expression,
| the comparison only takes place if the the original IP address is in
| the list of IP addresses for the hostname. This is done for
| security reasons.
- or probably using some real native Languare :)
--
Heiko