Re: [exim] Default enabling of dnsdb

Αρχική Σελίδα
Delete this message
Reply to this message
Συντάκτης: W B Hacker
Ημερομηνία:  
Προς: exim users
Αντικείμενο: Re: [exim] Default enabling of dnsdb
W B Hacker wrote:
> W B Hacker wrote:
>> Dean Brooks wrote:
>>> On Sun, May 10, 2009 at 02:37:20AM +0800, W B Hacker wrote:
>>>> Brian Blood wrote:
>>>> I get the impression those participating in the thread are not aware
>>>> that the Exim reverse_host_lookup has sufficiently thorough logic to
>>>> discriminate between 'good enough' and 'NFW' returns.
>>> Neither reverse_host_lookup or the $host_lookup_failed variables are
>>> acceptable for testing explicitly for the existance of PTR records.
>>> Both will fail if the forward lookup fails.
>>>
>>> Also, those mechanisms do not give enough granularity over DNS
>>> timeouts on *just* the PTR lookup itself. The $host_lookup_deferred
>>> will be set if either the PTR or the forward lookup times out, which
>>> compounds the problem further.
>>>
>>> I am unaware of any other way to do this without using dnsdb.
>>>
>>> --
>>> Dean Brooks
>>> dean@???
>>>
>> I believe your last statement.
>>
>> That doesn't flag it immutable.
>>
>>
>> What do you suppose this does?
>>
>>
>>    # C_1 PTR RR Test
>>    #
>>    warn
>>     condition    = ${if eq{$sender_host_name}{}{yes}{no}}
>>     log_message  = C_1 Null return for PTR RR search. KMELHEA

>>
>> The real 'experts' here can probably do that in 1/10 the byte-count...
>>
>> Bill
>>
>
> .. or at least fix it 'coz it was the wrong one..
>
> ;-)
>
> THIS is what works:
>
>    # CONNECT_3A BFBI test for outright absence of a PTR RR
>    #
>    deny
>      logwrite    = C3A Checking for basic presence of PTR RR
>      condition   = ${if eq{$interface_port}{25}}
>      !hosts      = : +relay_from_hosts
>      condition   = ${if and{{def:sender_host_address} \
>                     {!def:sender_host_name}}{yes}{no}}
>      log_message  = C3A No PTR RR found for $sender_host_address

>
>
> NB: key conditional shamelessly stolen from a post by Marc Sherman 3+
> years ago:
>
> http://www.mail-archive.com/exim-users@exim.org/msg08258.html
>
> Exemptions for our non-MTA boxen's cron reports and port 587 submission
> inferred.
>
> TESTED today to NOT trigger on 'generic' PTR RR, NOR on 'stale'
> (once-valid, but now 'orphaned') PTR RR's.
>


My bad.

Flawed test, sad to say.

:-(

But the verdamnt information we need is 'inside' there, around line 1730
in ~/src/host.c, where:

(Mind the MUA-munge on indenting and line-wraps)

======

/* If we have failed to find a name, return FAIL and log when required.
NB host_lookup_msg must be in permanent store. */

if (sender_host_name == NULL)
   {
   if (host_checking || !log_testing_mode)
     log_write(L_host_lookup_failed, LOG_MAIN, "no host name found for IP "
       "address %s", sender_host_address);
   host_lookup_msg = US" (failed to find host name from IP address)";
   host_lookup_failed = TRUE;
   return FAIL;
   }


====

All we need to do is differentiate THAT particular 'NULL'
sender_host_name return from the identical content that will be returned
if we DO find a PTR RR but it proves to not match in the rest of that
module.

so...

=====

/* If we have failed to find a name, return FAIL and log when required.
NB host_lookup_msg must be in permanent store. */

if (sender_host_name == NULL)
   {
   if (host_checking || !log_testing_mode)
     log_write(L_host_lookup_failed, LOG_MAIN, "no host name found for IP "
       "address %s", sender_host_address);
   host_lookup_msg = US" (failed to find host name from IP address)";
   host_lookup_failed = TRUE;
   sender_host_name = sender_host_address;
   return FAIL;
   }


====

Inserting one line of code:

sender_host_name = sender_host_address;

... to utilize existing variables might be the mark of a Hacker (hey it
IS my 'real name')

..But is 'lighter' than having to build dnsdb just to see if a PTR RR
'exists'.

Recompile, reinstall.

The acl to utilize the above 'forced-bogus' return:

# C3A BFBI missing-PTR reject
#
deny
     condition   = ${if eq{$interface_port}{25}}
     !hosts      = : +relay_from_hosts
     condition   = ${if match{$sender_host_name}\
                   {$sender_host_address}{yes}{no}}
     log_message = C3A cannot find PTR RR for $sender_host_address


=====

..though I *still* prefer reverse_host_lookup for its more intelligent
and comprehensive overall handling...

No patch supplied.

I don't code 'C'.

Bill