Re: Networking -- use of two Internet connections for one server with round robin DNS -- web okay, but should I do mail this way too?

To: debian-user@lists.debian.org
Subject: Re: Networking -- use of two Internet connections for one server with round robin DNS -- web okay, but should I do mail this way too?
From: lee <lee@yun.yagibdah.de>
Date: Sun, 10 Jul 2011 01:47:19 +0200
Message-id: <[🔎] 87wrfrauew.fsf@yun.yagibdah.de>
Mail-followup-to: debian-user@lists.debian.org
In-reply-to: <[🔎] 20110709214156.740f0fc8@jresid.jretrading.com> (joe@jretrading.com's message of "Sat, 9 Jul 2011 21:41:56 +0100")
References: <[🔎] 4E1785B3.6080306@affinityvision.com.au> <[🔎] pan.2011.07.09.10.41.34@gmail.com> <[🔎] 4E185D17.5000008@affinityvision.com.au> <[🔎] 874o2vfn0t.fsf@yun.yagibdah.de> <[🔎] 4E188052.2030808@rail.eu.org> <[🔎] 87zkkne6dh.fsf@yun.yagibdah.de> <[🔎] 20110709214156.740f0fc8@jresid.jretrading.com>

Joe <joe@jretrading.com> writes:

> On Sat, 09 Jul 2011 19:00:42 +0200
> lee <lee@yun.yagibdah.de> wrote:
>
>> Erwan David <erwan@rail.eu.org> writes:
>> 
>> > On 09/07/11 18:15, lee wrote:
>> > This kind of check is useless and makes loose too many legit emails.
>> 
>> The rDNS check is very useful because it keeps out tons of SPAM
>> without occupying too many resources.  It also seems to be common
>> practise.  Do you have a better suggestion?
>> 
>> 
>
> Yes. 
>
> -Check that sender IP address has a PTR.
> -Check that the PTR string exists as an A record in public DNS and the
> A record returns the same IP address
> -Check that HELO resolves in public DNS either to a domain or an A
> record, though not necessarily the same one as the sender PTR

This sounds good to me.

> Exim4 will do this easily. I can no longer recall whether these are
> default settings, but they are certainly only a matter of enabling
> existing programmed checks.

It seems that there aren't exactly default settings for exim4.  When you
think of Debian, they have come up with their own way of configuring
exim, and when you use it, you don't know anymore how exim is
configured.  Then there's the example configuration in the
documentation, and it doesn't have an rDNS check in it at all.

What I have is:

,----
|     deny !verify = reverse_host_lookup
|          message = no reverse DNS record for ${sender_host_address} found
|      log_message = No reverse DNS record for ${sender_host_address} \
|                    (claimed to be ${sender_helo_name}).
`----

The exim specification says:

,----
| *verify = reverse_host_lookup*
| 
|      This condition ensures that a verified host name has been looked up
|      from the IP address of the client host. [...] Verification ensures
|      that the host name obtained from a reverse DNS lookup, or one of
|      its aliases, does, when it is itself looked up in the DNS, yield
|      the original IP address.
|      [...]
`----

So there isn't any check on what's given in the [E]HELO statement with
this.  Now I've spent about tow hours trying to figure out how to check
if the $sender_helo_name is resolveable and didn't get anywhere other
than finding out that it could be done easily with something like
${lookup dnsdb{a=${sender_helo_name}}{$value}fail}.  The exim syntax
is horrible with things like that :(  I need to look into that some more
...

> There's no need for the HELO to match the PTR,

Thank you for the clarification; I was obviously wrong.

-- 
html messages are obsolete

Reply to:

Follow-Ups:
- Re: Networking -- use of two Internet connections for one server with round robin DNS -- web okay, but should I do mail this way too?
  - From: Joe <joe@jretrading.com>

References:
- Networking -- use of two Internet connections for one server with round robin DNS -- web okay, but should I do mail this way too?
  - From: Andrew McGlashan <andrew.mcglashan@affinityvision.com.au>
- Re: Networking -- use of two Internet connections for one server with round robin DNS -- web okay, but should I do mail this way too?
  - From: Camaleón <noelamac@gmail.com>
- Re: Networking -- use of two Internet connections for one server with round robin DNS -- web okay, but should I do mail this way too?
  - From: Andrew McGlashan <andrew.mcglashan@affinityvision.com.au>
- Re: Networking -- use of two Internet connections for one server with round robin DNS -- web okay, but should I do mail this way too?
  - From: lee <lee@yun.yagibdah.de>
- Re: Networking -- use of two Internet connections for one server with round robin DNS -- web okay, but should I do mail this way too?
  - From: Erwan David <erwan@rail.eu.org>
- Re: Networking -- use of two Internet connections for one server with round robin DNS -- web okay, but should I do mail this way too?
  - From: lee <lee@yun.yagibdah.de>
- Re: Networking -- use of two Internet connections for one server with round robin DNS -- web okay, but should I do mail this way too?
  - From: Joe <joe@jretrading.com>

Prev by Date: Re: What is the future for Debian on (Android) tablets?
Next by Date: Re: New labelprinting machines
Previous by thread: Re: Networking -- use of two Internet connections for one server with round robin DNS -- web okay, but should I do mail this way too?
Next by thread: Re: Networking -- use of two Internet connections for one server with round robin DNS -- web okay, but should I do mail this way too?
Index(es):
- Date
- Thread