[Pkg-exim4-users] Use of primary_hostname with visiblename

Marc Haber mh+pkg-exim4-users at zugschlus.de
Sun Dec 3 23:15:59 CET 2006


On Wed, Oct 18, 2006 at 09:22:15PM -0700, Ross Boylan wrote:
> On Wed, Oct 18, 2006 at 06:22:00PM +0200, Marc Haber wrote:
> > On Wed, Oct 18, 2006 at 11:16:27AM -0400, Bill Horne wrote:
> > > Marc Haber wrote:
> > > >Hi,
> > > >
> > > >On Wed, Oct 18, 2006 at 09:01:10AM -0400, Bill Horne wrote:
> > > >  
> > > >>Because I have been trading emails with a system that demands perfect
> > > >>forward/backward lookups on HELO info, I've changed the primary_hostname
> > > >>of my Exim4 installation. 
> > > >>
> > > >>I have Linux setup as billhorne.homelinux.org, but because that name
> > > >>doesn't match the MX record assigned to my IP address, another MTA is
> > > >>refusing to accept my mail. Ergo, I have forced Exim to use the A record
> > > >>assigned by my ISP.
> > > >>    
> > > >
> > > >A host checking that a message coming in from the MX host of the
> > > >domain is fundamentally broken. 
> I can't parse that last sentence.  Is the meaning
>   A host checking that a message coming in from A DOMAIN IS FROM
>   the MX host of the domain is fundamentally broken.

Yes.

> ?  Then the issue is that outgoing mail need not come from machines
> marked as MX hosts (which are for incoming mail).

Yes. MX hosts handle incoming mail (from the recipient domain's POV).
Outgoing mail (this time from the senders domain's POV) can be sent
from an arbitrary host. There is no way in well established DNS and
mail procedures to determine whether a given sending host is allowed
to use a domain as sender domain of a message.

There are a number of (half baked) schemes to give that kind of
verification (Domain Keys, SPF, Sender ID et al), but none of them is
widely accepted since they all break some existing features of e-mail,
such as mailing lists and/or mail forwarding.

> > > Sorry, I made a mistake: the MTA in question is checking the PTR record, 
> > > not the MX record. As I understand it, most MTA's check only for the 
> > > _existence_ of a PTR record, not whether it matches the A record, but 
> > > this one is rejecting emails if the A record doesn't match the PTR.
> > 
> > That's still fundamentally broken. 
> 
> I'm not sure what the fundamentally broken thing is, but I have a
> feeling I'm doing it.  My guess about what this means appears below.

It seems to be correct.

> > That's perfectly fine. My setup is the same:
> > 
> > [1/500]mh at scyw00225:~$ host -t mx zugschlus.de
> > zugschlus.de mail is handled by 30 mailgate2.zugschlus.de.
> > zugschlus.de mail is handled by 10 mailgate.zugschlus.de.
> > zugschlus.de mail is handled by 20 q.bofh.de.
> > [2/501]mh at scyw00225:~$ host mailgate.zugschlus.de.
> > mailgate.zugschlus.de has address 85.10.211.154
> > [3/502]mh at scyw00225:~$ host 85.10.211.154
> > 154.211.10.85.in-addr.arpa domain name pointer torres.zugschlus.de.
> > [4/503]mh at scyw00225:~$ host torres.zugschlus.de.
> > torres.zugschlus.de has address 85.10.211.154
> > [5/504]mh at scyw00225:~$
> 
> So the issue I see here is that if you send mail from
> mailgate.zugschlus.de, the reverse IP lookup finds a different name
> (torres.zugschlus.de), so remote servers checking for agreement will
> reject the message.  I think that's the behavior that is described as
> "fundamentally broken."

Yes, it is. Fundamentally broken.

> In an effort to fight spam, I reject messages when 
>   verify = helo
> fails, which I believe would happen in the previous scenario.

Probably. I don't think that it is even allowed to reject based on
HELO. A lot of sites (including myself) do it nevertheless. I, for
example, treat incoming maila s spam if the remote site HELOs with my
own IP address, host name or domain or some well-known
spammer/misconfigured box strings such as "friend" or "oemcomputer".

> I realize this is fairly draconian, but the previous discussion is
> making me wonder if it's totally out of line.

I find it totally out of line. You cannot use CNAMEs for MX records,
so the "have a dedicated A record for the generic MX host name in
addition to the 'real' host name record" is fairly wide spread.

> Like the original poster, the reverse lookup gets a cyptic name made
> up by my ISP.  In other words, a server setup exactly like mine would
> reject email from me (if sent directly from my system)!

You surely begin to see what's the issue here ;)

Greetings
Marc

-- 
-----------------------------------------------------------------------------
Marc Haber         | "I don't trust Computers. They | Mailadresse im Header
Mannheim, Germany  |  lose things."    Winona Ryder | Fon: *49 621 72739834
Nordisch by Nature |  How to make an American Quilt | Fax: *49 621 72739835



More information about the Pkg-exim4-users mailing list