On 12/07/11 13:29, Always Learning wrote:
>> 2011-07-06 07:13:46 H=[210.51.1.248]:53078 I=[xx.xx.xx.xx]:25 rejected
>> connection in "connect" ACL: host lookup failed (210.51.1.248 does not
>> match any IP address for mail.sailblog.cn): 1 Time(s)
>>
>> yet:-
>> host 210.51.1.248
>>
>> 248.1.51.210.in-addr.arpa domain name pointer mail.sailblog.cn.
>> 248.1.51.210.in-addr.arpa domain name pointer mail.powermail.com.cn.
>> 248.1.51.210.in-addr.arpa domain name pointer sailblog.cn.
>> 248.1.51.210.in-addr.arpa domain name pointer powermail.com.cn.
>>
>> accept verify = reverse_host_lookup
>>
> I notice that
>
> host mail.sailblog.cn
>
> reveals
>
> mail.sailblog.cn is an alias for mail.cn4dns.com.
> mail.cn4dns.com has address 61.4.82.32
>
> so should the error message be made more accurate? For example
> "IP address for mail.sailblog.cn does not match 210.51.1.248"
The message is accurate. There is no direct tie in between
mail.sailblog.cn and 210.51.1.238 resulting in a warning message. The
PTR lookup does not yield the same answer as the forward lookup, which
is the entire point of verify = reverse_host_lookup.
[docs] Exim Spec - Chapter 40.24. ACL conditions
verify = reverse_host_lookup
This condition ensures that a verified host name has been looked up
from the IP address of the client host. (This may have happened already
if the host name was needed for checking a host list, or if the host
matched host_lookup.) Verification ensures that the host name obtained
from a reverse DNS lookup, or one of its aliases, does, when it is
itself looked up in the DNS, yield the original IP address.
[/docs]
I would also recommend updating to the most recent available security
update of Exim on CentOS as I'm fairly sure there is a remote root
exploit against your current version.